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INFORMATION SHARING ENVIRONMENT (ISE) 
FUNCTIONAL STANDARD (FS) 
SUSPICIOUS ACTIVITY REPORTING (SAR) 


VERSION 1.5.5 


. Authority. Homeland Security Act of 2002, as amended; The Intelligence Reform and 
Terrorism Prevention Act of 2004 (IRTPA), as amended; Presidential Memorandum dated 
April 10, 2007 (Assignment of Functions Relating to the Information Sharing Environment); 
Presidential Memorandum dated December 16, 2005 (Guidelines and Requirements in 
Support of the Information Sharing Environment); DNI memorandum dated May 2, 2007 
(Program Manager’s Responsibilities); Executive Order 13388; and other applicable 
provisions of law, regulation, or policy. 


. Purpose. This issuance updates the Functional Standard for ISE-SARs and is one of a series 
of Common Terrorism Information Sharing Standards (CTISS) issued by the Program 
Manager for the Information Sharing Environment (PM-ISE). While limited to describing the 
ISE-SAR process and associated information exchanges, information from this process may 
support other ISE processes, to include alerts, warnings, and notifications; situational 
awareness reporting; and terrorist watchlisting. 


. Applicability. This JSE-SAR Functional Standard applies to all departments or agencies that 
possess or use terrorism or homeland security information or intelligence, operate systems 
that support or interface with the ISE, or otherwise participate (or expect to participate) in the 
ISE, as specified in Section 1016(1) of the IRTPA, and in the Nationwide Suspicious Activity 
Reporting (SAR) Initiative (NSID. 


. References. ISE Implementation Plan, November 2006; ISE Enterprise Architecture 
Framework (EAF), Version 2.0, September 2008; Initial Privacy and Civil Liberties Analysis 
for the Information Sharing Environment, Version 1.0, September 2008; Privacy, Civil 
Rights, and Civil Liberties Analysis and Recommendations, Nationwide Suspicious Activity 
Reporting Initiative (July 2010); ISE-AM-300: Common Terrorism Information Standards 
Program, October 31, 2007; Common Terrorism Information Sharing Standards Program 
Manual, Version 1.0, October 2007; National Information Exchange Model, Concept of 
Operations (CONOPS), Version 0.5, January 9, 2007; 28 Code of Federal Regulations (CFR) 
Part 23; Executive Order 13526 (Classified National Security Information), December 29, 
2009; Nationwide Suspicious Activity Reporting Concept of Operations, December 2008; 
ISE Suspicious Activity Reporting Evaluation Environment (EE) Segment Architecture, 
December 2008; JSE-SAR Functional Standard v. 1.5 (2009); and the National Strategy for 
Information Sharing and Safeguarding, December 2012; NSI SAR Data Repository (SDR) 
CONOPS, January 2014. 
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5. Definitions. 


a. Artifact: Detailed mission product documentation addressing information exchanges and 
data elements for ISE-SAR (data models, schemas, structures, etc.). 


b. Common Terrorism Information Sharing Standards (CTISS): Business process-driven, 
performance-based “common standards” for preparing terrorism-related (and other) 
information for maximum distribution and access, to enable the acquisition, access, 
retention, production, use, management, and sharing of terrorism-related information 
within the ISE. CTISS, such as this ISE-SAR Functional Standard, are implemented in 
ISE participants’ infrastructures as described in the JSE EAF. CTISS identifies two 
categories of common standards: 


1. Functional standards—set forth rules, conditions, guidelines, and characteristics of 
data and mission products supporting ISE business process areas. 


2. Technical standards—document specific technical methodologies and practices to 
design and implement information sharing capability into ISE systems. 


c. Nationwide SAR Initiative (NST) SAR Data Repository (SDR): The NSI SDR consists of 
a single data repository, built to respect and support originator control and local 
stewardship of data, which incorporates Federal, State, and local retention policies. 
Within the SDR, hosted data enclaves extend this approach to information management 
and safeguarding practices by ensuring a separation of data across participating agencies. 


d. eGuardian: eGuardian is the FBI’s unclassified, Web-based system for receiving, 
tracking, and sharing ISE-SARs in the NSI as well as receiving and documenting other 
terrorism-related information, such as watchlist encounters or terrorism-related events, 
and other cyber or criminal threat information. (AII information that is available to NSI 
participants through the eGuardian SDR will be vetted by a trained fusion center or 
Federal agency analyst or investigator to ensure that it meets the vetting standard for an 
ISE-SAR (i.e., a SAR that has been determined, pursuant to a two-part process, to have a 
potential nexus to terrorism). ISE-SARs loaded into eGuardian are pushed to the FBI’s 
Guardian system, a classified counterpart to eGuardian, in which the FBI and its JTTFs 
compare investigative lead information with other holdings available to the FBI in its 
capacity as a member of the Intelligence Community. 


e. Field Intelligence Groups (FIGs): The hub of the FBI’s intelligence program in the field, 
FIGs are the primary mechanism through which FBI field offices identify, evaluate, and 
prioritize threats within their territories. Using dissemination protocols, FIGs contribute 
to regional and local perspectives on threats and serve as the FBI’s link among fusion 
centers, the JTTFs, and the Intelligence Community. 


f. Fusion center: “A collaborative effort of two or more Federal, State, local, tribal, or 
territorial (SLTT) government agencies that combines resources, expertise, or 
information with the goal of maximizing the ability of such agencies to detect, prevent, 
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investigate, apprehend, and respond to criminal or terrorist activity.” (Source: Section 
511 of the 9/11 Commission Act). State and major urban area fusion centers serve as 
focal points within the State and local environment for the receipt, analysis, gathering, 
and sharing of threat-related information between the Federal government and SLTT and 
private-sector partners. 


Information exchange: The transfer of information from one organization to another 
organization, in accordance with CTISS defined processes. 


Information Sharing Environment-Suspicious Activity Report (GSE-SAR): An ISE-SAR 
is a SAR (as defined below in 5.t) that has been determined, pursuant to a two-part 
process, to have a potential nexus to terrorism (i.e., to be reasonably indicative of 
criminal activity associated with terrorism). ISE-SAR business rules and privacy and 
civil liberties requirements will serve as a unified process to support the reporting, 
tracking, processing, storage, and retrieval of terrorism-related suspicious activity reports 
across the ISE. 


Joint Terrorism Task Forces (JTTFs): The FBI’s JTTFs are interagency task forces 
designed to enhance communication, coordination, and cooperation in countering 
terrorist threats. They combine the resources, talents, skills, and knowledge of Federal, 
State, territorial, tribal, and local law enforcement and homeland security agencies, as 
well as the Intelligence Community, into a single team that investigates and/or responds 
to terrorist threats. The JTTFs execute the FBI’s lead Federal agency responsibility for 
investigating terrorist acts or terrorist threats against the United States. 


National Information Exchange Model (NIEM): A joint technical and functional 
standards program initiated by the Department of Homeland Security (DHS) and the 
Department of Justice (DOJ) that supports national-level interoperable information 
sharing. 


Nationwide Suspicious Activity Reporting (SAR) Initiative (NSD: The NSI establishes 
standardized processes and policies that provide the capability for Federal, SLTT, 
campus, and railroad law enforcement and homeland security agencies to share timely, 
relevant ISE-SARs through a distributed information sharing system that protects 
privacy, civil rights, and civil liberties. 


Owning agency/organization: The organization that owns the target associated with the 
suspicious activity. 


. Personally identifiable information: Information that may be used to identify an 
individual (i.e., data elements in the identified “privacy fields” of this JSE-SAR 
Functional Standard). 


Pre-operational planning: Pre-operational planning describes activities associated with a 
known or particular planned criminal operation or with terrorist operations generally. 
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o. Privacy field: A data element that may be used to identify an individual and, therefore, is 
subject to privacy protection. 


p. Reasonably indicative: This operational concept for documenting and sharing suspicious 
activity report takes into account the circumstances in which that observation is made, 
which creates in the mind of the reasonable observer, including a law enforcement 
officer, an articulable concern that the behavior may indicate pre-operational planning 
associated with terrorism or other criminal activity.'. It also takes into account the 
training and experience of a reasonable law enforcement officer, in cases in which an 
officer is the observer or documenter of the observed behavior reported to a law 
enforcement agency. 


q. Source agency/organization: The agency or entity that originates the SAR report 
(examples include a local police department, a private security firm handling security for 
a power plant, and a security force at a military installation). The source organization will 
not change throughout the life of the SAR. 


r. Submitting agency/organization: The organization that actuates the push of the ISE-SAR 
to the NSI community. The submitting organization and the source organization may be 
the same. 


s. Suspicious activity: Observed behavior reasonably indicative of pre-operational planning 
associated with terrorism or other criminal activity. 


t. Suspicious Activity Report (SAR): Official documentation of observed behavior 
reasonably indicative of pre-operational planning associated with terrorism or other 
criminal activity. 


6. Guidance. This Functional Standard is hereby established as the nationwide ISE Functional 
Standard for identifying ISE-SARs. It is based on documented information exchanges and 
business requirements and describes the structure, content, and products associated with 
processing, integrating, and retrieving ISE-SARs by ISE agencies participating in the NSI. 


7. Responsibilities. 


a. The PM-ISE, in consultation with the Information Sharing and Access Interagency Policy 
Committee (ISA IPC), will: 


(1) Maintain and administer this JSE-SAR Functional Standard, to include: 
(a) Updating the business process and information flows for ISE-SAR. 
' Tt should be noted that for purposes of the evaluation and documentation of an ISE-SAR (See 5. h., above), the 


term “other criminal activity” must refer to criminal activity associated with terrorism and must fall within the scope 
of the 16 terrorism pre-operational behaviors identified in Part B of this Functional Standard. 


(2) 


(3) 


(4) 


(5) 


() 
(2) 


(3) 


(4) 


(5) 
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(b) Updating data elements and product definitions for ISE-SAR. 


Publish and maintain configuration management of this JSE-SAR Functional 
Standard. 


Assist with the development of ISE-SAR implementation guidance, training, and 
governance structure, as appropriate, to address privacy, civil rights, and civil 
liberties-related policy, architecture, and legal issues. 


Work with ISE agencies participating in the NSI, through the ISA IPC governance 
process, to develop a new or modified JSE-SAR Functional Standard, as needed and 
recognize the separate process for DHS and the FBI to update the behavioral 
examples in Part B ISE-SAR Criteria Guidance to rapidly reflect emerging threats 
and trends. 


Coordinate, publish, and monitor implementation and use of this JSE-SAR 
Functional Standard, and coordinate with the White House Office of Science and 
Technology Policy and with the National Institute of Standards and Technology (in 
the Department of Commerce) for broader publication, as appropriate. 


. Each ISA IPC member and other affected organizations shall: 


Propose modifications to the PM-ISE for this Functional Standard, as appropriate. 


AS appropriate, incorporate this JSE-SAR Functional Standard, and any subsequent 
implementation guidance, into budget activities associated with relevant current 
(operational) mission specific programs, systems, or initiatives (e.g., operations and 
maintenance [O&M] or enhancements). 


AS appropriate, incorporate this JSE-SAR Functional Standard, and any subsequent 
implementation guidance, into budget activities associated with future or new 
development efforts for relevant mission-specific programs, systems, or initiatives 
(e.g., development, modernization, or enhancement [DME]). 


Ensure that incorporation of this ISE-SAR Functional Standard, as set forth in 7.b 
(2) or 7.b (3) above, is done in compliance with [SE Privacy Guidelines and any 
additional guidance provided by the ISA IPC Privacy and Civil Liberties 
Subcommittee (P/CL Subcommittee). 


Ensure that incorporation of this ISE-SAR Functional Standard, as set forth in 7.b 
(1) or 7.b (2) above, is done without impact on federal agencies’ lawful collection, 
maintenance, dissemination, and use of information, as provided by federal law. 
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8. Effective Date and Expiration. This JSE-SAR Functional Standard supersedes the 
Information Sharing Environment, Functional Standard, Suspicious Activity Reporting, v. 
1.5 (2009), is effective immediately, and will remain in effect as the updated ISE-SAR 
Functional Standard until further updated, superseded, or cancelled. 


qh — 


Program Manager for the 
Information Sharing Environment 


Date: February 23, 2015 
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PART A—ISE-SAR FUNCTIONAL STANDARD ELEMENTS 


SECTION I: DOCUMENT OVERVIEW 


List of ISE-SAR Functional Standard Technical Artifacts 


The full ISE-SAR information exchange contains five types of supporting technical artifacts. 
This documentation provides details of implementation processes and other relevant reference 
materials. A synopsis of the JSE-SAR Functional Standard technical artifacts is contained in 


Table 1 below. 


Table 1 — Functional Standard Technical Artifacts” 


Artifact Type Artifact Artifact Description 
Development and |1. Component Mapping _ | This spreadsheet captures the ISE-SAR 
Implementation Template (CMT) information exchange class and data element 
Tools (SAR-to-NIEM) (source) definitions and relates each data element 


to corresponding National Information Exchange 
Model (NIEM) Extensible Mark-Up Language 
(XML) elements and NIEM elements, as 
appropriate. 


NIEM Wantlist 


The Wantlist is an XML file that lists the elements 
selected from the NIEM data model for inclusion 
in the Schema Subset. The Schema Subset is a 
compliant version to both programs that has been 
reduced to only those elements actually used in the 
ISE-SAR document schema. 


XML Schemas 


The XML Schema provides a technical 
representation of the business data requirements. 
They are a machine-readable definition of the 
structure of an ISE-SAR-based XML Message. 


XML Sample Instance 


The XML Sample Instance is a sample document 
that has been formatted to comply with the 
structures defined in the XML Schema. It provides 
the developer with an example of how the ISE- 
SAR schema is intended to be used. 


Codified Data Field 
Values 


Listings, descriptions, and sources as prescribed 
by data fields in the JSE-SAR Functional 
Standard. 


? Development and implementation tools may be accessible through www.ise.gov. In addition, updated versions of 
this Functional Standard should conform with NIEM. 
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SECTION II: SUSPICIOUS ACTIVITY REPORTING EXCHANGES 


A. ISE-SAR Purpose 


This ISE-SAR Functional Standard has been designed to incorporate key elements that describe 
pre-operational behaviors that are criminal in nature and have historically been associated with 
terrorism. The NSI includes law enforcement,+ homeland security,” and other information 
sharing partners at the Federal, SLTT levels, including State and major urban area fusion centers, 
to the full extent permitted by law. In addition to providing specific indications about possible 
terrorism-related behaviors, ISE-SARs can be used to look for patterns and trends by analyzing 
information at a broader level than would typically be recognized within a single jurisdiction, 
including SLTT jurisdictions. Standardized and consistent sharing of ISE-SARs among State and 
major urban area fusion centers and Federal agencies participating in the NSI is vital to 
assessing, deterring, preventing, or prosecuting those involved in criminal activities with a 
potential nexus to terrorism (i.e., to be reasonably indicative of pre-operational planning 
associated with terrorism). This JSE-SAR Functional Standard has been designed to incorporate 
key elements that describe pre-operational behaviors historically associated with terrorism. 


B. ISE-SAR Scope 


An ISE-SAR is a SAR that has been determined by a trained analyst or investigator, pursuant to 
a two-part process,® to have a potential nexus to terrorism (i.e., to be reasonably indicative of 
pre-operational planning associated with terrorism). (See Section II. D. 3. below, Analysis and 
Production). “Reasonably indicative” is a determination that takes into account (1) the 
circumstances in which the observation is made, which creates in the mind of the reasonable 
observer an articulable concern that the behavior may indicate pre-operational planning 
associated with terrorism or other criminal activity; and (2) the training and expertise of a 
reasonable law enforcement officer, in cases in which an officer is the observer or documenter of 
the SAR, who may be informed by specific or general threat bulletins, trip wire reports, or other 
information or intelligence. The term “pre-operational planning” refers to those activities that 
are associated with a known or particular planned criminal operation or with terrorist operations 
generally. 


3 Identified in Part B of this Functional Standard, the 16 pre-operational behaviors are criminal in nature either 
because they are inherently criminal (e.g., breach, theft, sabotage) or because they are being engaged in to further a 
terrorism operation (e.g., testing or probing of security, observation/surveillance, materials acquisition). The 
pre-operational behavioral criteria and categories are listed in Part B of this Functional Standard. 

4 All references to Federal and SLTT law enforcement agencies are intended to encompass civilian law enforcement, 
military police, and other security professionals. 

> All references to homeland security are intended to encompass public safety, emergency management, and other 
officials who routinely participate in the State or major urban area’s homeland security preparedness activities. 

6 The determination of an ISE-SAR is a two-part process: (1) at the State or major urban area fusion center or 
Federal agency, an analyst or law enforcement officer reviews the newly reported information for suspicious 
behavior based on his or her training and expertise and against ISE-SAR behavior criteria; and (2) based on the 
context, facts, and circumstances, the analyst or investigator determines whether the information meeting the criteria 
has a potential nexus to terrorism (i.e., to be reasonably indicative of pre-operational planning associated with 
terrorism). 
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A determination that a SAR constitutes an ISE-SAR is made as part of a two-part vetting process 
by a trained analyst or investigator who takes into account the reported circumstances of the 
SAR, including both the training and experience of the law enforcement or homeland security 
personnel reporting the behavior, to confirm that the reasonably indicative determination has 
been met.’ The analyst or investigator then compares the SAR with information from available 
databases and resources, reviews the behavior against the Part B (ISE-SAR Criteria Guidance) 
pre-operational terrorism behaviors, and then makes a judgment as to whether, given the context, 
facts, and circumstances available, there is a potential nexus to terrorism (i.e., to be reasonably 
indicative of pre-operational planning associated with terrorism). Part B- provides a more 
thorough explanation of ISE-SAR pre-operational behavior criteria and highlights the importance 
of the trained analyst or investigator taking into account the context, facts, and circumstances in 
reviewing suspicious behaviors to identify those SARs with a potential nexus to terrorism (1.e., to 
be reasonably indicative of pre-operational planning associated with terrorism). The following 
are select examples of the 16 terrorism pre-operational behavioral categories, set forth in Part B, 
that may be reasonably indicative of terrorism: 


Expressed or implied threat 
Theft/loss/diversion 
Breach/attempted intrusion 
Cyberattacks 

Testing or probing of security® 


It is important to stress that this behavior-focused approach to identifying suspicious activity 
requires that factors such as race, ethnicity, gender, national origin, religion, sexual orientation, 
or gender identity must not be considered as factors creating suspicion (but attributes may be 
documented in specific suspect descriptions for identification purposes). The same 
constitutional standards that apply when conducting ordinary criminal investigations also apply 
to Federal and SLTT law enforcement and homeland security officers collecting information 
about suspicious activity. The ISE-SAR Functional Standard does not alter law enforcement 
officers’ constitutional obligations when interacting with the public. This means, for example, 
that constitutional protections and agency policies and procedures that apply to a law 


7 In assessing whether behavior constitutes “suspicious activity,” law enforcement and homeland security personnel 
should consider all of the circumstances in which the behavior was observed, including knowledge such personnel 
may have had of any emerging threats or tradecraft, such as those based on specific or general threat bulletins, trip 
wire reports, or other information or intelligence. 

8 For a full list and explanation of the behavioral categories, behavioral criteria, and descriptive examples, see Part 
B. 

° Consideration and documentation of race, ethnicity, gender, national origin, religion, sexual orientation, or gender 
identity shall be consistent with applicable guidance, including, for federal law enforcement officers, Guidance for 
Federal Law Enforcement Agencies regarding the Use of Race, Ethnicity, Gender, National Origin, Religion, Sexual 
Orientation, or Gender Identity (December 2014). 
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enforcement officer’s authority to stop, stop and frisk (“Terry Stop”)!°, request identification, or 
detain and question an individual apply in the same measure to observed behavior that is 
reasonably indicative of pre-operational planning associated with terrorism or other criminal 
activity. It is also important to recognize that many terrorism-related activities are now being 
funded via local or regional criminal organizations whose direct association with terrorism may 
be tenuous. This places law enforcement and homeland security professionals in the unique, yet 
demanding, position of identifying suspicious behaviors as a by-product or secondary element in 
a criminal enforcement or investigative activity. This means that, while some ISE-SARs may 
document observed behaviors to which local agencies have already responded, there is value in 
sharing them more broadly to facilitate aggregate trending or analysis of potential terrorist 
activities. 


ISE-SARs are not intended to be used to track or record ongoing enforcement, intelligence, or 
investigatory operations, although they can provide information on these activities. The ISE- 
SAR process offers a standardized means for identifying and sharing ISE-SARs and applying 
data analytic tools to the information. Any patterns identified during ISE-SAR data analysis 
must be investigated in cooperation with the FBI’s JTTFs. If the information originates with the 
JTTF, the JTTF should work in coordination with the State or major urban area fusion center 
unless departmental policies and procedures dictate otherwise (e.g., the information is classified). 


C. Overview of Nationwide SAR Cycle 


As defined in the Nationwide Suspicious Activity Reporting Initiative (NSI) Concept of 
Operations (CONOPS),'' the Nationwide SAR process consists of five standardized business 
process categories: (1) planning; (2) gathering and processing; (3)analysis and production; 
(4) dissemination; and (4) reevaluation. Under these five categories are nine steps that complete 
the Nationwide SAR cycle, as illustrated below in Figure 1. Figure | relates to the detailed ISE- 
SAR flowchart outlined in Part C of this version of the JSE-SAR Functional Standard. For further 
detail on the 12 NSI steps, please refer to the NSJ CONOPS. 


'0 “Terry Stop” refers to the U.S. Supreme Court ruling in Terry v. Ohio, 392 U.S. 1 (1968), which held that a law 
enforcement officer may stop and frisk an individual for weapons that may endanger the officer when the officer has 
a reasonable and articulable suspicion, based on a totality of the circumstances, that the individual may be armed 
and dangerous. 

‘| PM-ISE, Nationwide SAR Initiative Concept of Operations (2008), available from 
http://ise.gov/sites/default/files/NSI_CONOPS_Version_1_FINAL_2008-12-11_r1.0.pdf. 


Atal 
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1) Observation ios as ee | 2) Supervisory 
review of the 


and reporting report 


9) Frontline LE personnel trained 


to recognize behavior and 3) SAR is sent to 
incidents indicative of terrorism; fusion center 
community outreach plan and/or JTTF 
implemented 


The Nationwide 
8) State and major urban area fusion SA R Cycl e 


centers, in coordination with state, 4) Determination and 
local, tribal, territorial, and federal documentation of an 
agencies, develop information needs ISE-SAR 


based on risk assessment 


7) Federal agencies and 5) ISE-SAR 

fusion centers develop shared in the NS! 
relevant risk assessments, SAR Data 
based on the established Repository (SDR) 


information needs 


6) National 
coordinated 
information 


needs on annual 
and ad hoc basis 


Figure I —ISE-SAR Flowchart 


The technical framework of the SAR vetting and approval process that may produce an ISE-SAR 
is discussed in the Nationwide Suspicious Activity Reporting (SAR) Initiative SAR Data 
Repository (SDR) Concept of Operations (NSI SDR CONOPS).'? The NSI SDR CONOPS 
explains the technical solution and associated user and training requirements supporting the NSI 
and details the enhanced platform that offers new efficiencies and deploys distributed capabilities 
to the NSI user community. The NSI SDR CONOPS provides an overview of the rules, 
regulations, policies, and training associated with accessing, submitting, and searching SAR data 
residing in the NSI SDR and the various tools that enable those submissions and searches. 


D. ISE-SAR Top-Level Business Process 
1. Planning 
The activities in the planning phase of the NSI cycle, while integral to the overall NSI, are not 


discussed further in this Functional Standard. See the NSI CONOPS for more details. 


The NSI SDR CONOPS, (2014), available from 
https://leo.cjis.gov/leoContent/docs/gen/lesig/e_guard/fbi_reports/ 
2014/201401_nsi_sar_data_repository_conops.pdf. 
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2. Gathering and Processing 


SLTT law enforcement agencies, homeland security agencies, or field elements of Federal 
agencies participating in the NSI gather, document, and report information about suspicious 
activity in support of their responsibilities to investigate potential criminal activity, protect 
citizens, apprehend and prosecute criminals, and prevent crime. Information acquisition begins 
with an observation or report of unusual or suspicious behavior which, under the circumstances, 
is reasonably indicative of pre-operational planning associated with terrorism or other criminal 
activity. Behaviors that may be reasonably indicative of pre-operational planning associated 
with terrorism include, but are not limited to, theft, loss, or diversion, site breach or physical 
intrusion, cyberattacks, possible testing of physical response, or other unusual behavior or sector- 
specific incidents. It is important to emphasize that context, facts, and circumstances are essential 
elements for determining the relevance of suspicious behaviors to criminal activity with a 
potential nexus to terrorism (i.e., to be reasonably indicative of pre-operational planning 
associated with terrorism). (See Part B for more details.) 


Regardless of whether the initial observer is a private citizen, a representative of a private-sector 
partner, a government official, or a law enforcement or homeland security officer, suspicious 
activity may be reported to an SLTT law enforcement agency, a fusion center, or a local, 
regional, or national office of a Federal agency. When the initial investigation or fact gathering is 
completed, the investigating officer or official documents the event as a SAR, in accordance with 
the ISE-SAR Functional Standard, agency policy, local ordinances, and State and Federal laws 
and regulations. 


The SAR is then reviewed within an SLTT or Federal agency by appropriately designated 
supervisors or other officials, who may have operational, privacy, and civil liberties 
responsibilities, for linkages to other suspicious or criminal activity in accordance with agency or 
departmental policy and procedures.!* Although there is always some level of local review, the 
degree varies from agency to agency. Smaller agencies may forward most SARs directly to their 
State or major urban area fusion centers or their local FBI JTTF, where further analysis can take 
place to determine whether the SAR reflects a Part B terrorism pre-operational behavior, has a 
potential nexus to terrorism (i.e., to be reasonably indicative of pre-operational planning 
associated with terrorism), and is therefore an ISE-SAR. Major cities, on the other hand, may 
have trained counterterrorism experts on staff that perform analytic review of the initial reports 
and filter out those that can be determined not to have a potential nexus to terrorism (1.e., to be 
reasonably indicative of pre-operational planning associated with terrorism). 


After appropriate local processing, SLTT agencies make SARs available to their relevant State or 
major urban area fusion centers. Field components of Federal agencies participating in the NSI 
forward their SARs to the appropriate regional, district, or headquarters office, employing 
processes that vary from agency to agency. In those cases in which a local agency can determine 
that an activity has a direct connection to terrorism, it should immediately provide the 


‘3 If appropriate, the agency should consult with a JTTF, FIG, or State or major urban area fusion center. 
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information directly to the responsible FBI JTTF'* for follow-on action against the identified 
terrorist activity. In those cases in which the local agency can determine that an activity has a 
direct connection to a terrorist event or pre-operational planning associated with terrorism, it will 
provide the information directly to the responsible JTTF for use as the basis for an assessment or 
investigation of a terrorism-related crime as appropriate. 


3. Analysis and Production 


The SLTT agency, fusion center, or Federal agency enters the SAR into an NSI SDR-connected 
platform. The SAR undergoes a two-part review process by a trained analyst or an investigator 
to establish or discount a potential nexus to terrorism (i.e., discount that it is reasonably 
indicative of pre-operational planning associated with terrorism). First, the trained analyst or law 
enforcement investigator reviews the newly reported SAR information against 16 pre-operational 
behaviors associated with terrorism that are identified in Part B of this ISE-SAR Functional 
Standard, keeping in mind—when interpreting the behaviors—the importance of context, facts, 
and circumstances.'> The analyst or investigator will then review the input against all available 
knowledge and information for linkages to other suspicious or criminal activity and determine 
whether the information reflects Part B behaviors. 


Second, if the information reflects one or more Part B behaviors, the officer or analyst will apply 
his or her professional judgment to determine whether, based on the available context, facts, and 
circumstances, the information has a potential nexus to terrorism (i.e., to be reasonably indicative 
of pre-operational planning associated with terrorism). If the officer or analyst cannot make this 
explicit determination, the report will not be accessible in the NSI SDR, although it may be 
retained in local fusion center or Federal agency files in accordance with established retention 
policies and business rules or reported to the FBI or other law enforcement or homeland security 
agencies under other legal authorities. However, if that determination is made by the analyst or 
investigator, the SAR will either be submitted immediately to the NSI SDR or forwarded for 
secondary review and approval, which may lead to submission to the NSI SDR. 


As described in Part B, the activities listed as “Potential Criminal or Non-Criminal Activity” are 
not inherently criminal behaviors and are potentially constitutionally protected; thus, additional 
facts or circumstances must be articulated in the incident. 


4. Dissemination 


Once a SAR has been determined to meet Part B behavior criteria and have a potential nexus to 
terrorism (i.e., to be reasonably indicative of pre-operational planning associated with terrorism), 
the SAR becomes an ISE-SAR and is formatted in accordance with the ISE-SAR Information 
Exchange Package Document (IEPD) format described in Sections HI and IV. The ISE-SAR is 


‘4 SARs that do not require an immediate law enforcement response should nonetheless be made available to JTTFs 
for a coordinated evaluation, including, but not limited to, comparing the information with other holdings available 
to the FBI as a member of the Intelligence Community. 

'S Tt is important to note that the analyst or investigator should not make assumptions or presumptions as to why an 
individual acted or failed to act in a certain way; rather, the determination that the behavior is suspicious should be 
based on the behavior observed or on documented circumstances. 
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then uploaded by the submitting agency, where it is immediately provided to the FBI for an 
assessment-level investigation and made available to all other NSI participants. This allows 
authorized law enforcement agencies and fusion centers to be cognizant of all terrorism-related 
suspicious activity in their respective areas of responsibility, consistent with the information flow 
description in Part C, and allows the FBI to take investigative action as appropriate and in 
coordination with or with the knowledge of the source agency. Although the ISE-SAR has been 
shared with all NSI participants, it remains under the ownership and control of the submitting 
organization (i.e., SLTT law enforcement agency, fusion center, or Federal agency that made the 
initial determination that the activity constituted an ISE-SAR) and the ISE-SAR is then uploaded 
to the NSI SDR. 


By this stage of the process, all initially reported SARs have been through multiple levels of 
review by trained personnel and, to the maximum extent possible, those SARs without a 
potential nexus to terrorism have been filtered out. SARs that are vetted, approved, and made 
available for sharing in the NSI SDR are ISE-SARs and can be presumed by Federal, State, and 
local analytic personnel to have a potential nexus to terrorism (i.e., to be reasonably indicative of 
pre-operational planning associated with terrorism), and information derived from them can be 
used along with other sources to support JTTF or other counterterrorism operations or to develop 
counterterrorism analytic products. As in any analytic process, however, all information is 
subject to further review and validation. Analysts must coordinate with the submitting 
organization for deconfliction and are responsible for obtaining and using any available relevant 
information in the applicable analytic product. To appropriately safeguard privacy, civil rights, 
and civil liberties, analytical programs should be conducted in accordance with agency policies 
and procedures, including privacy policies, and records management schedules and should 
implement auditing and accountability measures. 


Once ISE-SARs are accessible in the NSI SDR, they can be used to support a range of 
counterterrorism analytic and operational activities. This step involves the actions necessary to 
integrate ISE-SAR information into existing counterterrorism analytic and operational processes, 
including efforts to “connect the dots,” identify information gaps, and develop formal analytic 
products. 


5. Reevaluation’® 


Operational feedback on the status of ISE-SARs is an essential element of an effective NSI 
process with important implications for privacy, civil rights, and civil liberties. First of all, it is 
important to notify source organizations when information they provide is designated as an ISE- 
SAR by a submitting organization and made available for sharing—a form of positive feedback 
that lets organizations know that their initial suspicions have some validity. Second, once the 
FBI assigns and assesses an ISE-SAR, the submitting organization is electronically notified of 
the FBI field office investigating the SAR and the results of the assessment. These results are 
maintained in the disposition section of the ISE-SAR for all NSI participants to review. 


'6 The reevaluation phase also encompasses the establishment of an integrated counterterrorism information needs 
process, a process that does not relate directly to information exchanges through this standard. See page 23 of the 
2008 NSI CONOPS for more details. 
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E. Broader ISE-SAR Applicability 


Consistent with the JSE Privacy Guidelines and Presidential Guideline 2, and to the full extent 
permitted by law, this JSE-SAR Functional Standard is designed to support the sharing of 
unclassified information or sensitive but unclassified (SBU)/controlled unclassified information 
(CUI) within the NSI SDR. There is also a provision for using a data element indicator for 
designating classified national security information as part of the ISE-SAR record, as necessary. 
This condition could be required under special circumstances for protecting the context of the 
event, or specifics or organizational associations of affected locations. The State or major urban 
area fusion center or the FBI’s Guardian Management Unit (GMU) or JTTF acts as a key conduit 
between the SLTT agencies and other NSI participants. It is important to note that, although 
many SAR source agencies and ISE-SAR consumers have responsibilities beyond terrorist 
activities, the NSI ISE-SAR concept is focused exclusively on terrorism-related information. Of 
special note, there is no intention to modify or otherwise affect, through this JSE-SAR Functional 
Standard, the currently supported or mandated direct interactions between SLTT law 
enforcement and investigatory personnel and the FBI’s JTTFs and/or FIGs. 


This ISE-SAR Functional Standard will be used as the ISE-SAR information exchange standard 
for all NSI participants. Although the extensibility of this JSE-SAR Functional Standard does 
support customization for unique communities, jurisdictions planning to modify this JSE-SAR 
Functional Standard must carefully consider the consequences of customization. The PM-ISE 
requests that modification follow a formal change request process through the ISA IPC as 
appropriate, for both community coordination and consideration. Further, messages that do not 
conform to this Functional Standard may not be consumable by the receiving organization and 
may require modifications by the nonconforming organizations. 


F. Other Information Sharing Authorities 


The ISE-SAR process does not supersede other information or intelligence gathering, collection, 
or sharing authority, including the authority to share information between and among Federal 
agencies and SLTT agencies where the information is related to homeland security, terrorism, or 
other Federal crimes. 


Multiple Federal agencies currently have the authority to collect terrorism-related tips and leads. 
However, only those tips and leads that comply with the ISE-SAR Functional Standard are 
broadly shared with NSI participants. At the SLTT level, crime and terrorism information, 
including terrorism-related non-ISE-SAR information, can and should be reported to appropriate 
Federal agencies based on their relevant legal authorities. '7 


'7 As an example, SLTT agencies may provide terrorism-related source data that leads to the creation of an 
Intelligence Information Report (IR), which is ultimately shared with the federal Intelligence Community. In 
addition, SLTT agencies often enhance existing federal data by providing local context for an assortment of 
Intelligence Community partners (e.g., Drug Enforcement Administration and DHS components). A third example 
relates to terrorism-related leads that do not meet the requirements of the JSE-SAR Functional Standard but may 
require investigative follow-up by the FBI. Under the latter circumstance, non-ISE-SAR information may be 
submitted electronically to the FBI. 
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It is important to recognize that the multidirectional sharing of non-ISE-SAR information takes 
place outside the NSI SDR. Consequently, while systems involved in the NSI can be used in the 
exercise of other agency authorities related to information and intelligence collection, sharing, 
and analysis, information sharing outside the scope of the JSE-SAR Functional Standard must be 
done in accordance with other agency legal authorities, policies and procedures, and interagency 
agreements. This means that reports determined not to be ISE-SARs will be handled in 
accordance with applicable SLTT and other agencies’ authorities, policies, and procedures. 


G. Protecting Privacy, Civil Rights, and Civil Liberties 


Laws that prohibit or otherwise limit the sharing of PII vary considerably between the Federal 
SLTT levels. The Privacy Act of 1974 (5 USC §552a), as amended, other statutes such as the 
E-Government Act of 2002, and many governmentwide or departmental regulations establish a 
framework and criteria for protecting information privacy in the Federal government. The ISE, 
including NSI participants, must facilitate the sharing of information in a lawful manner, which, 
by its nature, must recognize, in addition to Federal statutes and regulations, different SLTT, 
laws, regulations, or policies that affect privacy. One method for protecting privacy, civil rights, 
and civil liberties while enabling the broadest possible sharing is to anonymize ISE-SAR reports 
by excluding data elements that contain PII. Accordingly, NSI participating agencies enter ISE- 
SARs according to their privacy laws and policies and rules governing the sharing of PII, where 
appropriate. 


SECTION II: INFORMATION EXCHANGE DEVELOPMENT DATA MODEL 


This ISE-SAR Functional Standard includes a collection of artifacts that support ISE-SAR 
information exchanges. The basic ISE-SAR information exchange is documented using five 
unique artifacts, giving implementers tangible products that can be leveraged for local 
implementation. A domain model provides a graphical depiction of those data elements required 
for implementing an exchange and the cardinality between those data elements. Second, a 
Component Mapping Template is a spreadsheet that associates each required data element with 
its corresponding XML data element. Third, information exchanges include the schemas that 
consist of a document, extension, and constraint schema. Fourth, at least one sample XML 
Instance and associated style-sheet is included to help practitioners validate the model, mapping, 
and schemas in a more intuitive way. Fifth, a codified data field values listing provides listings, 
descriptions, and sources as prescribed by the data fields. 


SECTION IV: ISE-SAR EXCHANGE DATA MODEL 
A. Summary of Elements 


This section contains a full inventory of all ISE-SAR information exchange data classes, 
elements, and definitions. Items and definitions contained in cells with a light purple background 
are data classes, while items and definition contained in cells with a white background are data 
elements. A wider representation of data class and element mappings to source (ISE-SAR 
information exchange) and target is contained in the Component Mapping Template located in 
the technical artifacts folder. 
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Cardinality between objects in the model is indicated on the line in the domain model (see 
Section 5A). Cardinality indicates how many times an entity can occur in the model. For 
example, Vehicle, Vessel, and Aircraft all have cardinality of 0.n. This means that they are 
optional but may occur multiple times if multiple suspect vehicles are identified. 


Clarification of organizations used in the exchange: 


The source agency/organization is the agency or entity that originates the SAR 
report (examples include a local police department, a private security firm 
handling security for a power plant, and a security force at a military installation). 
The source organization will not change throughout the life of the SAR. 


The submitting agency/organization is the organization that actuates the push of 
the ISE-SAR to the NSI community. The submitting agency/organization and the 
source agency/organization may be the same. 

The owning agency/organization is the organization that owns the target!® 
associated with the suspicious activity (see page 21). 


'8 The target is a technical term for field of interest that is not readily viewed by someone who queries a particular 
SAR. 
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Table 2 —ISE-SAR Information Exchange Data Classes, Elements, and Definitions 


Privacy Source pea 
Field Class/Element pouree De uniton 

Aircraft 

parcrat engine The number of engines on an observed aircraft. 

Quantity 

pai Fuselage A code identifying a color of a fuselage of an aircraft. 

Aircraft Wing Color | A code identifying a color of a wing of an aircraft. 
A unique identifier assigned to the aircraft by the 
observing organization—used for referencing. *If this 

xX Aircraft ID identifier can be used to identify a specific aircraft, 

for instance, by using the aircraft tail number, then 
this element is a privacy field. [free text field] 

Aircraft Make Code | A code identifying a manufacturer of an aircraft. 

Mrcakiviedel Code A code identifying a specific design or type of aircraft 
made by a manufacturer. 

Aircraft Style Code A code identifying a style of an aircraft. 
An aircraft identification number prominently 

xX Aircraft Tail Number | displayed at various locations on an aircraft, such as 

on the tail and along the fuselage. [free text field] 

Attachment 


Attachment Type Text 


Describes the type of attachment (e.g., surveillance 
video, mug shot, evidence). [free text field] 


Binary Image 


Binary encoding of the attachment. 


Capture Date 


The date that the attachment was created. 


Description Text 


Text description of the attachment. [free text field] 


Format Type Text 


Format of attachment (e.g., mpeg, jpg, avi). [free text 
field] 


Attachment URI 


Uniform Resource Identifier (URJ) for the 
attachment. Used to match the attachment link to the 
attachment itself. Standard representation type that 
can be used for Uniform Resource Locators (URLs) 
and Uniform Resource Names (URNs). 


Attachment Privacy 
Field Indicator 


Identifies whether the binary attachment contains 
information that may be used to identify an 
individual. 
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BENACY. Source Source Definition 
Field Class/Element 
Contact Information 
Xx Person First Name Person to contact at the organization. 
xX Person Last Name Person to contact at the organization. 


An e-mail address of a person or organization. [free 


E-Mail Address sent Held 


A full-length telephone identifier representing the 


Xx ene digits to be dialed to reach a specific telephone 
Number ; : 
instrument. [free text field] 
Driver License 
Xx Expiration Date The month, date, and year that the document expires. 
Expiration Year The year the document expires. 
Code identifying the organization that issued the 
: : driver license assigned to the person. Examples 
oe anny include Department of Motor Vehicles, Department 
of Public Safety, and Department of Highway Safety 
and Motor Vehicles. [free text field] 
A driver license identifier or driver license permit 
Xx Driver License identifier of the observer or observed person of 
Number interest involved with the suspicious activity. [free 
text field] 
Follow-Up Action 
Activity Date Date that the follow-up activity started. 
Activity Time Time that the follow-up activity started. 


Organizational identifier that describes the 
organization performing a follow-up activity. This is 
Assigned By Text designed to keep all parties interested in a particular 
ISE-SAR informed of concurrent investigations. [free 
text field] 


Text describing the person or suborganization that 
Assigned To Text will be performing the designated action. [free text 
field] 


Description of disposition of suspicious activity 


Disposition Text ; cae : 
P investigation. [free text field] 


Description of the state of follow-up activity. [free 


Status Text text field] 
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Enyacy poutce Source Definition 
Field Class/Element 
Location 
A description of a location where the suspicious 
activity occurred. If the location is an address that is 
xX Location Description | not broken into its component parts (e.g., 1234 Main 


Street), this field may be used to store the compound 
address. [free text field] 


Location Address 


Building Description 


A complete reference that identifies a building. [free 
text field] 


County Name 


A name of a county, parish, or vicinage. [free text 
field] 


Country Name 


A country name or other identifier. [free text field] 


Cross Street 
Description 


A description of an intersecting street. [free text field] 


Floor Identifier 


A reference that identifies an actual level within a 
building. [free text field] 


ICAO Airfield Code 
for Departure 


An International Civil Aviation Organization (ICAO) 
airfield code for departure. Indicates aircraft, crew, 
passengers, and cargo on conveyance location 
information. [free text field] 


ICAO Airfield Code | An airfield code for planned destination. Indicates 
for Planned aircraft, crew, passengers, and cargo on conveyance 
Destination location information. [free text field] 
ICAO for Actual An airfield code for actual destination. Indicates 
ae aircraft, crew, passengers, and cargo on conveyance 

Destination bee : : 

location information. [free text field] 
ICAO Airfield for An airfield code for Alternate. Indicates aircraft, 

crew, passengers, and cargo on conveyance location 
Alternate : . . 

information. [free text field] 

Identifies the sequentially numbered marker on a 
Mile Marker Text roadside that is closest to the intended location. Also 


known as milepost, or mile post. [free text field] 


Municipality Name 


The name of the city or town. [free text field] 


Postal Code 


The ZIP code or postal code. [free text field] 


State Name 


Code identifying the state. 


Street Name 


A name that identifies a particular street. [free text 
field] 
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Privacy Source ea 
Field Class/Element Source Detinition 
A number that identifies a particular unit or location 
x pee ae within a street. [free text field] 
Sitsep Pose Directional A direction that appears after a street name. [free text 
field] 
Siasepie i ceiesal A direction that appears before a street name. [free 
text field] 
A type of street, e.g., street, boulevard, avenue, 
since! TYRE highway. [free text field] 
xX Unit ID A particular unit within the location. [free text field] 
Location 
Coordinates 
Altitude Height above or below sea level of a location. 


Coordinate Datum 


Coordinate system used for plotting location. 


Latitude Degree 


A value that specifies the degree of a latitude. The 
value comes from a restricted range between -90 
(inclusive) and +90 (inclusive). 


Latitude Minute 


A value that specifies a minute of a degree. The value 
comes from a restricted range of 0 (inclusive) to 60 
(exclusive). 


Latitude Second 


A value that specifies a second of a minute. The value 
comes from a restricted range of 0 (inclusive) to 60 
(exclusive). 


Longitude Degree 


A value that specifies the degree of a longitude. The 
value comes from a restricted range between -180 
(inclusive) and +180 (exclusive). 


Longitude Minute 


A value that specifies a minute of a degree. The value 
comes from a restricted range of 0 (inclusive) to 60 
(exclusive). 


Longitude Second 


A value that specifies a second of a minute. The value 
comes from a restricted range of 0 (inclusive) to 60 
(exclusive). 


Conveyance A direction by heading and speed or route and/or 
Track/Intent waypoint of conveyance. [free text field] 
Observer 
Indicates the relative expertise of an observer to the 
suspicious activity (e.g., professional observer versus 
Observer Type Text | layman). Example: a security guard at a utility plant 


recording the activity, or a citizen driving by viewing 
suspicious activity. [free text field] 
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Privacy Source SUE 
Field | Class/Element Source Detinition 
Number assigned by an employer for a person such as 
Xx Peon Ee) badge number. [free text field] 
Owning Agency/ 
Organization 
Organization Item A name of an organization that owns the target. [free 
text field] 
A text description of organization that owns the 
Organization target. The description may indicate the type of 
Description organization such as state bureau of investigation, 
highway patrol, etc. [free text field] 
A federal tax identifier assigned to an organization. 
eg Sometimes referred to as a Federal Employer 
* Organizanon ID Identification Number (FEIN), or an Employer 
Identification Number (EIN). [free text field] 
X Organization Local An identifier assigned on a local level to an 
ID organization. [free text field] 
Other Identifier 
Xx Person Identification | An identifying number assigned to the person, e.g., 
Number (PID) military serial numbers. [free text field] 
X PID Effective Date The month, date, and year that the PID number 
became active or accurate. 
PID Effective Year The year that the PID number became active or 
accurate. 
x PID Expiration Date The month, date, and year that the PID number 
expires. 
PID Expiration Year |The year that the PID number expires. 
PID Issuing Authority | The issuing authority of the identifier. This may be a 
Text State, military organization, etc. 
Code identifying the type of identifier assigned to the 
Pip Type Code person. [free text field] 
Passport 
xX Passport ID Document Unique Identifier. [free text field] 
Xx Expiration Date The month, date, and year that the document expires. 


Expiration Year 


The year the document expires. 


Issuing Country Code 


Code identifying the issuing country. [free text field] 
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Privacy Source pats 
Field | Class/Element source Detimtion 
Person 
A number issued by the FBI’s Automated Fingerprint 
xX AFIS FBI Number Identification System (AFIS) based on submitted 
fingerprints. [free text field] 
Age A precise measurement of the age of a person. 
: Code that identifies the unit of measure of an age of a 
mee Ce person (e.g., years, months). [free text field] 
xX Date of Birth The month, date, and year that a person was born. 
Year of Birth The year a person was born. 
Ethnicity Code Code that identifies the person’s cultural lineage. 
: The maximum age measurement in an estimated 
Maximum Age 
range. 
sd The minimum age measurement in an estimated 
Minimum Age 
range. 
Number assigned by the State based on biometric 
Xx State Identifier identifiers or other matching algorithms. [free text 
field] 
ae A nine-digit numeric identifier assigned to a living 
Xx Fox een person by the U.S. Social Security Administration. A 
Number ‘ : H 
social security number of the person. [free text field] 
Person Name 
Xx Beet Mane A first name or given name of the person. [free text 
field] 
eaet nie A last name or family name of the person. [free text 
field] 
Middle Name A middle name of a person. [free text field] 
Used to designate the compound name of a person 
that includes all name parts. This field should be used 
xX Full Name only when the name cannot be broken down into its 
component parts or if the information is not available 
in its component parts. [free text field] 
Xx Vesgikee Alternative or gang name for a person. [free text 
field] 
A component that is appended after the family name 
: that distinguishes members of a family with the same 
Name Suffix 


given, middle, and last name, or otherwise qualifies 
the name. [free text field] 
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Privacy Source he 
Name Type Text identifying the type of name for the person. For 
example, maiden name, professional name, nickname. 
Physical Descriptors 


Build Description 


Text describing the physique or shape of a person. 
[free text field] 


Eye Color Code Code identifying the color of the person’s eyes. 

Eye Color Text Text describing the color of a person’s eyes. [free text 
field] 

Hair Color Code Code identifying the color of the person’s hair. 

Mair Color’ Text Text describing the color of a person’s hair. [free text 


field] 


Person Eyewear Text 


A description of glasses or other eyewear a person 
wears. [free text field] 


Person Facial Hair 
Text 


A kind of facial hair of a person. [free text field] 


Person Height A measurement of the height of a person. 

Person Height Unit Code that identifies the unit of measure of a height of 
Code a person. [free text field] 

Person Maximum The maximum measure value on an estimated range 
Height of the height of the person. 

Person Minimum The minimum measure value on an estimated range 
Height of the height of the person. 

Person Maximum The maximum measure value on an estimated range 
Weight of the weight of the person. 


Person Minimum 
Weight 


The minimum measure value on an estimated range 
of the weight of the person. 


Person Sex Code 


A code identifying the gender or sex of a person 
(e.g., Male or Female). 


Person Weight A measurement of the weight of a person. 

Person Weight Unit | Code that identifies the unit of measure of a weight of 
Code a person. [free text field] 

Race Code Code that identifies the race of the person. 

Skin Tone Code Code identifying the color or tone of a person’s skin. 


Clothing Description 
Text 


A description of an article of clothing. [free text field] 
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Privacy Source pats 
Field | Class/Element source Detimton 

Physical Feature 

Fetinre Description A text description of a physical feature of the person. 
[free text field] 
A special kind of physical feature or any 

Feature Type Code distinguishing feature. Examples include scars, 
marks, tattoos, or a missing ear. [free text field] 
A description of a location. If the location is an 

beaten Desean Gen address that is not broken into its component parts 

P (e.g., 1234 Main Street), this field may be used to 

store the compound address. [free text field] 

Registration 

: ; Text describing the organization or entity authorizing 
Registration ; ; ; ee 
Authority Code the issuance of a registration for the vehicle involved 

with the suspicious activity. [free text field] 
The number on a metal plate fixed to/assigned to a 
. : vehicle. The purpose of the registration number is to 
* Reesmavon Number uniquely identify each vehicle within a state. [free 
text field] 

: : Code that identifies the type of registration plate or 
Peenstanon 1y0s license plate of a vehicle. [free text field] 
Registration Year A four-digit year as shown on the registration decal 

issued for the vehicle. 
ISE-SAR 
Submission 
Identifies whether more ISE-SAR details are 
Additional Details available at the authoring/submitting 
Indicator agency/organization than what has been provided in 
the information exchange. 
Date the data was entered into the reporting system 
pueeniy Date (e.g., the Records Management System). 
Generally established locally, this code describes the 
Dissemination Code | authorized recipients of the data. Examples include 
Law Enforcement Use, Do Not Disseminate, etc. 
Xx Fusion Center Contact | Identifies the first name of the person to contact at the 
First Name fusion center. [free text field] 
X Fusion Center Contact | Identifies the last name of the person to contact at the 
Last Name fusion center. [free text field] 
x Fusion Center Contact | Identifies the e-mail address of the person to contact 


E-Mail Address 


at the fusion center. [free text field] 
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Privacy Source BLE 
Field | Class/Element Source Definition 
Bysion Coniee Coniket The full phone number of the person at the fusion 
Xx center who is familiar with the record (e.g., law 
Telephone Number ‘ 
enforcement officer). 
Message Type 
et e.g., Add, Update, Purge. 


Privacy Purge Date 


The date by which the privacy information will be 
purged from the record system; general observation 
data is retained. 


Privacy Purge Review 
Date 


Date of review to determine the disposition of the 
privacy fields in a detailed ISE-SAR IEPD record. 


Submitting ISE-SAR 
Record ID 


Identifies the fusion center ISE-SAR record identifier 
for reports that are possibly related to the current 
report. [free text field] 


ISE-SAR Submission 
Date 


Date of submission for the ISE-SAR record. 


ISE-SAR Title 


Plain language title (e.g., bomb threat at the “X” 
Hotel). [free text field] 


ISE-SAR Version 


Indicates the specific version of the ISE-SAR to 
which the XML Instance corresponds. [free text field] 


Source Agency Case 
ID 


The case identifier for the agency that originated the 
SAR. Often, this will be a local law enforcement 
agency. [free text field] 


Source Agency 
Record Reference 
Name 


The case identifier that is commonly used by the 
source agency—may be the same as the system ID. 
[free text field] 


Source Agency 
Record Status Code 


The current status of the record within the source 
agency system. 


Privacy Information 
Exists Indicator 


Indicates whether privacy information is available 
from the source fusion center. This indicator may be 
used to guide people who only have access to the 
summary information exchange as to whether they 
can follow up with the submitting fusion center to 
obtain more information. 


Sensitive 
Information Details 


Classification Label 


A classification of information. Includes 
Confidential, Secret, Top Secret, no markings. [free 
text field] 
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Privacy Source oe 
Field | Class/Element Source Delmon 
Classification Reason | A reason why the classification was made as such. 
Text [free text field] 


Local information security categorization level 
(Controlled Unclassified Information-CUI, including 
Sensitive But Unclassified or Law Enforcement 
Sensitive). [free text field] 


Sensitivity Level 


Identifies whether a report is free of classified 


Tearlined Indicator : : 
information. 


Source Agency/ 
Organization 


The name used to refer to the agency originating the 


Organizalon Name: || <p. ifise text field] 


Originating Agency Identification (ORI) used to refer 


Organization ORI io the aoency. 
The system that the case identifier (e.g., Records 
System ID Management System, Computer Aided Dispatch) 


relates to within or the organization that originated 
the Suspicious Activity Report. [free text field] 


Fusion Center 


Lo Date of submission to the fusion center. 
Submission Date 


Source Agency The first name of the person at the agency that is 


xX : familiar with the record (e.g., law enforcement 
one aee iene officer). [free text field] 
The last name of the person at the agency that is 
Source Agency sa ; 
xX Contact leet Maine familiar with the record (e.g., law enforcement 
officer). [free text field] 
Source Agency The e-mail address of the person at the agency who is 
xX Contact E-mail familiar with the record (e.g., law enforcement 
Address officer). [free text field] 
Source Agency The full phone number of the person at the agency 
xX Contact that is familiar with the record (e.g., law 
Phone Number enforcement officer). 
Suspicious Activity 
Report 
Community Describes the intended audience of the document. 
Description [free text field] 
Community URL The URL to resolve the ISE-SAR information 


exchange payload namespace. 
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Source 
Class/Element 


LEXS Version 


ISE-FS-200 


Source Definition 


Identifies the version of Department of Justice LEISP 
Exchange Specification (LEXS) used to publish this 
document. ISE-FS-200 has been built using LEXS 
version 3.1. The schema was developed by starting 
with the basic LEXS schema and extending that 
definition by adding those elements not included in 
LEXS. [free text field] 


Message Date/Time 


A timestamp identifying when this message was 
received. 


Sequence Number 


A number that uniquely identifies this message. 


Reliability of the source, in the assessment of the 


Source Reliabilit f aaipe : - 
y reporting organization: could be one of “reliable, 
Code - : oe 09 
unreliable,” or “unknown. 
ve Validity of the content, in the assessment of the 
Content Validity iy in eee — é 
Code reporting organization: could be one of “confirmed, 


“doubtful,” or “cannot be judged.” 


Nature of Source- 
Code 


Nature of the source: could be one of “anonymous 
tip,” “confidential source,” “trained interviewer,” 
“written statement—victim, witness, other,” “private 
sector,” or “other source.” 


99 66. 


Nature of Source-Text 


Optional information of “other source” is selected 
above. [free text field] 


Submitting Agency/ 
Organization 


Organization Name 


Common Name of the fusion center or NSI 
participant that submitted the ISE-SAR record to the 
ISE. [free text field] 


Organization ID 


Fusion center or NSI participant’s alpha-numeric 
identifier. [free text field] 


ORI for the submitting fusion center or NSI 


Onganizanon ORI participant. [free text field] 
Identifies the system within the fusion center or NSI 
System ID participant that is submitting the ISE-SAR. [free text 


field] 


Suspicious Activity 


Activity End Date 


The end or completion date in Greenwich Mean Time 
(GMT) of an incident that occurs over a duration of 
time. 
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Privacy 
Field 


Source 
Class/Element 


Activity End Time 
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Source Definition 


The end or completion time in GMT of day of an 
incident that occurs over a duration of time. 


Activity Start Date 


The date in GMT when the incident occurred or the 
start date if the incident occurs over a period of time. 


Activity Start Time 


The time of day in GMT that the incident occurred or 
started. 


Observation 
Description Text 


Description of the activity including rationale for 
potential terrorism nexus. [free text field] 


Observation End Date 


The end or completion date in GMT of the 
observation of an activity that occurs over a duration 
of time. 


Observation End 
Time 


The end or completion time of day in GMT of the 
observation of an activity that occurred over a period 
of time. 


Observation Start 
Date 


The date in GMT when the observation of an 
activity occurred or the start date if the 
observation of the activity occurred over a period 
of time. 


Observation Start 
Time 


The time of day in GMT that the observation of an 
activity occurred or started. 


Broad category of threat to which the tip or lead 


Threat Type Cod 
ier ste re pertains. Includes Financial Incident, Suspicious 
Activity, and Cyber Crime. 
Breakdown of the Tip Type. It indicates the type of 
Threat Type Detail threat to which the tip or lead pertains. The subtype 
ext is often dependent on the Tip Type. For example, 


the subtypes for a nuclear/radiological tip class 
might be Nuclear Explosive or a Radiological 
Dispersal Device. [free text field] 


Suspicious Activity 
Code 


Indicates the type of threat to which the tip or 
lead pertains. Examples include a biological 
or chemical threat. 


Weather Condition 
Details 


The weather at the time of the suspicious 
activity. The weather may be described using 
codified lists or text. 
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Source 
Class/Element 
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Source Definition 


Critical Infrastructure 
Indicator 


Critical infrastructure, as defined by 42 USC Sec. 
5195c, means systems and assets, whether physical or 
virtual, so vital to the United States that the 
incapacity or destruction of such systems and assets 
would have a debilitating impact on security, national 
economic security, national public health or safety, or 
any combination of those matters. 


Infrastructure Sector 
Code 


The broad categorization of the infrastructure type. 
These include telecommunications, electrical power 
systems, gas and oil storage and transportation, 
banking and finance, transportation, water supply 
systems, emergency services (including medical, 
police, fire, and rescue), and continuity of 
government. 


Infrastructure Tier 
Text 


Provides additional detail that enhances the Target 
Sector Code. For example, if the target sector is 
Utilities, this field would indicate the type of utility 
that has been targeted, such as power station or power 
transmission. [free text field] 


Structure Type Code 


National Data Exchange (N-DEx) Code that 
identifies the type of structure that was involved in 
the incident. 


Target Type Text 


Describes the target type if an appropriate sector code 
is not available. [free text field] 


Structure Type Text 


Text for use when the Structure Type Code does not 
afford necessary code. [free text field] 


Target Description 
Text 


Text describing the target (e.g., Lincoln Bridge). [free 
text field] 


Vehicle 

Colertede Code that identifies the primary color of a vehicle 
involved in the suspicious activity. 

Description Text description of the entity. [free text field] 

Make Name Code that identifies the manufacturer of the vehicle. 
Code that identifies the specific design or type of 

Model Name vehicle made by a manufacturer—sometimes referred 
to as the series model. 

Style Code Code that identifies the style of a vehicle. [free text 


field] 
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Privacy Source oa 
Field | Class/Element poure: Deonigen 
Venice Vad A four-digit year that is assigned to a vehicle by the 
manufacturer. 
Vehicle Identification | Used to uniquely identify motor vehicles. [free text 
XxX ‘ 
Number field] 
An assigned number sequence required by Federal 
Motor Carrier Safety Administration (FMCSA) for 
all interstate carriers. The identification number 
XxX US DOT Number (found on the power unit, and assigned by the U.S. 
Department of Transportation or by a State) is a key 
element in the FMCSA databases for both carrier 
safety and regulatory purposes. [free text field] 
A text description of a vehicle. Can capture unique 
Vehicle Description _| identifying information about a vehicle such as 
damage, custom paint, etc. [free text field] 
Related ISE-SAR 
Figen Cairn Identifies the fusion center that is the source of the 
ISE-SAR. [free text field] 
: Identifies the fusion center ISE-SAR record identifier 
Euston Center pi: for reports that are possibly related to the current 
SAR Record ID P P y 
report. 
Relationship Describes how this ISE-SAR is related to another 
Description Text ISE-SAR. [free text field] 
Vessel 
VVessel—Official An identification issued by either the State or the US. 
: : Coast Guard. Either number is contained within valid 
State Registration or . ; ; 
Xx Conc Guavd marine documents. State registration numbers should 
: be marked on the forward portion of the hull of the 
Documentation 
vessel, and documented vessels have a number 
Numbers ; : 
permanently marked on the vessel's main beam. 
X Vessel ID A unique identifier assigned to the boat record by the 
agency—used for referencing. [free text field] 
Identifies the organization authorization over the 
Vessel ID Issuing issuance of a vessel identifier. Examples include the 
Authority State parks department and the U.S. Fish and Wildlife 
Department. [free text field] 
Wessel MIC Munbex An identification for an International Maritime 
xX pee Organization Number (IMO number) of a vessel. 
Identification ; 
[free text field] 
x Vessel MMSI An identification for the Maritime Mobile Service 
Identification Identity (MMSJ) or a vessel. [free text field] 
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Privacy Source ie 
Field | Class/Element Source Definition 
Vessel Make Code that identifies the manufacturer of the boat. 


Model name that identifies the specific design or type 
Vessel Model of boat made by a manufacturer—sometimes referred 
to as the series model. 


A four-digit year that is assigned to a boat by the 


Vessel Model Year 
manufacturer. 


Complete boat name and any numerics. [free text 
field] 


The identifying attributes of the hailing port of a 


Vessel Name 


Vessel Hailing Port vessel. [free text field] 

; A data concept for a country under which a vessel 
Mesyeh Nawonel Flag sails. [free text field] 
vee hOvern The length measurement of the boat, bow to stern. 
Length 
Vessel Overall Code that identifies the measurement unit used to 
Length Measure determine the boat length. [free text field] 


The identification number of a boat involved in an 


- Vessel Serial Number incident. [free text field] 


Vessel Type Code Code that identifies the type of boat. 


Vessel Propulsion Text for use when the Boat Propulsion Code does not 
Text afford necessary code. [free text field] 


Association Descriptions 


This section defines specific data associations contained in the ISE-SAR data model structure. 
Reference Figure 2 (UML-based model) for the graphical depiction and detailed elements. 


Table 3 —ISE-SAR Data Model Structure Associations 


Link Between Associated 


Components Target Element 


Link From Suspicious Activity | lexs:Digest/lexsdigest: Associations/lexsdigest:EntityAttachm 
Report to Attachment entLinkAssociation 


Link From Suspicious Activity 
Report to Sensitive Hierarchical Association 
Information Details 


Link From Suspicious Activity 
Report to ISE-SAR Hierarchical Association 
Submission 
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Link Between Associated 
Components 


Target Element 


Link From Suspicious Activity 
to Vehicle 


lexs:Digest/lexsdigest: Associations/lexsdigest:IncidentInvolv 
edItemAssociation 


Link From Vehicle to 
Registration 


Hierarchical Association 


Link From Suspicious Activity 
to Vessel 


lexs:Digest/lexsdigest: Associations/lexsdigest:IncidentInvolv 
edItemAssociation 


Link From Suspicious Activity 
to Aircraft 


lexs:Digest/lexsdigest: Associations/lexsdigest:IncidentInvolv 
edItemAssociation 


Link From Suspicious Activity 
to Location 


lexs:Digest/lexsdigest: Associations/lexsdigest: ActivityLocati 
onAssociation 


Link From Suspicious Activity 
to Target 


Hierarchical Association 


Link From Location to 
Location Coordinates 


Hierarchical Association 


Link From Location to 
Location Address 


Hierarchical Association 


Link From Suspicious Activity 
Report to Related ISE-SAR 


Hierarchical Association 


Link From Person to Location 


lexs:Digest/lexsdigest: Associations/lexsdigest:PersonLocatio 
nAssociation 


Link From Person to Contact 
Information 


lexs:Digest/lexsdigest: Associations/lexsdigest:EntityEmailAs 
sociation or 

lexs:Digest/lexsdigest: Associations/lexsdigest:EntityTelepho 
neNumberAssociation 


Link From Person to Driver 
License 


Hierarchical Association 


Link From Person to Passport 


Hierarchical Association 


Link From Person to Other 
Identifier 


Hierarchical Association 


Link From Person to Physical 
Descriptors 


Hierarchical Association 


Link From Person to Physical 
Feature 


Hierarchical Association 


Link From Person to Person 
Name 


Hierarchical Association 


Link From Suspicious 
Activity 
Report to Follow-Up Action 


Hierarchical Association 
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Link Between Associated 
Components 


Target Element 


Link From Target to Location 


lexs:Digest/lexsdigest: Associations/lexsdigest:ItemLocation 
Association 


Link From Suspicious 
Activity Report to 
Organization 


Hierarchical Association 


Link From Suspicious 
Activity to Person [Witness] 


lexs:Digest/lexsdigest: Associations/lexsdigest:IncidentWitne 
ssAssociation 


Link From Suspicious 
Activity to Person [Person Of 
Interest] 


lexs:Digest/lexsdigest: Associations/lexsdigest:PersonOfInter 
estAssociation 


Link From Organization to 
Target 


Link from ISE-SAR 
Submission to Submitting 


ext:SuspiciousActivityReport/nc:OrganizationItemAssociation 


Hierarchical Association 


Organization 
Link From Submitting Hierarchical Association 
Organization to Contact (Note that the mapping indicates context and we are not 
Information reusing Contact Information components) 
Extended XML Elements 


Additional data elements are also identified as new elements outside of NIEM, Version 2.0. 
These elements are listed below: 


AdditionalDetailsIndicator: Identifies whether more ISE-SAR details are available at the 
authoring/submitting agency/organization than what has been provided in the information 
exchange. 

AssignedByText: Organizational identifier that describes the organization performing a follow- 
up activity. This is designed to keep all parties interested in a particular ISE-SAR informed of 


concurrent investigations. 


AssignedToText: Text describing the person or suborganization that will be performing the 
designated follow-up action. 


ClassificationReasonText: A reason why the classification was made as such. 


ContentValidityCode: Validity of the content, in the assessment of the reporting organization: 
could be one of “confirmed,” “doubtful,” or “cannot be judged.” 


ConveyanceTrack/Intent: A direction by heading and speed or route and/or waypoint of 
conveyance. 
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CriticalInfrastructureIndicator: Critical infrastructure, as defined by 42 USC Sec. 5195c, 
means systems and assets, whether physical or virtual, so vital to the United States that the 
incapacity or destruction of such systems and assets would have a debilitating impact on 
security, national economic security, national public health or safety, or any combination of 
those matters. 


ICA OAirfieldCodeforDeparture: An International Civil Aviation Organization (ICAO) airfield 
code for departure. Indicates aircraft, crew, passengers, and cargo on conveyance location 
information. 


ICA OAirfieldCodeforPlannedDestination: An airfield code for planned destination. Indicates 
aircraft, crew, passengers, and cargo on conveyance location information. 


ICAOforActualDestination: An airfield code for actual destination. Indicates aircraft, crew, 
passengers, and cargo on conveyance location information. 


ICA OAirfieldforAlternate: An airfield code for Alternate. Indicates aircraft, crew, passengers, 
and cargo on conveyance location information. 


NatureofSource-Code: Nature of the source: Could be one of “anonymous tip,” “confidential 
source,” “trained interviewer,” “written statement—victim, witness, other,” “private sector,” or 


“other source.” 
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PrivacyFieldIndicator: Data element that may be used to identify an individual and therefore is 
subject to protection from disclosure under applicable privacy rules. Removal of privacy fields 
from a detailed report will result in a summary report. This privacy field informs users of the 
summary information exchange that additional information may be available from the originator 
of the report. 


ReportPurgeDate: The date by which the privacy fields will be purged from the record system; 
general observation data is retained. Purge policies vary from jurisdiction to jurisdiction and 


should be indicated as part of the guidelines. 


ReportPurgeReviewDate: Date of review to determine the disposition of the privacy fields in a 
detailed ISE-SAR IEPD record. 


SourceReliabilityCode: Reliability of the source, in the assessment of the reporting 
organization: could be one of “reliable,” “unreliable,” or “unknown.” 


VesselHailingPort: The identifying attributes of the hailing port of a vessel. 


VesselNationalFlag: A data concept for a country flag under which a vessel sails. 
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SECTION V: INFORMATION EXCHANGE IMPLEMENTATION ARTIFACTS 


A. Domain Model 
General Domain Model Overview 


The domain model provides a visual representation of the business data requirements and 
relationships (Figure 2). This Unified Modeling Language (UML)-based Model represents the 
Exchange Model artifact required in the information exchange development methodology. The 
model is designed to demonstrate the organization of data elements and illustrate how these 
elements are grouped together into classes. Further, it describes relationships between these 
classes. A key consideration in the development of a domain model is that it must be 
independent of the mechanism intended to implement the model. The domain model is actually 
a representation of how data is structured from a business context. As the technology changes 
and new Functional Standards emerge, developers can create new standards mapping documents 
and schema tied to a new standard without having to readdress business process requirements. 
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Attachment 
+ Attachment Type Text 
* Binary Image 
+ Capture Date 


+ Description Text 
+ Format Type Text 
+ Attachment URI 


* Attachment Privacy Field Indicator 


+ Message Date/Time 
+ LEXS Version 

+ Sequence Number 
+ Community URI 


Sensitive Information Details 1 
Suspicious Activity 


+ Classification Label 

+ Classification Reason Text 
+ Sensitivity Level 

+ Tearlined Indicator 


+ Community Description 
+ Source Reliability Code 
+ Content Validity Code 

+ Nature of Source—Code 
+ Nature of Source—Text 


‘Suspicious Activity Report 


ISE-SAR Submission 
+ Additional Details Indicator 
+ Data Entry Date 
+ Dissemination Code 
+ Message Type Indicator 
+ Privacy Purge Date 
+ Privacy Purge Review Date 
+ ISE-SAR Version 
+ Privacy Information Exists Indicator 
+ Source Agency Record Status Code 


+ Source Agency Record Reference Name 


+ Source Agency Case ID 

+ ISE-SAR Title 

+ Same As Digest Reference 

+ Submitting ISE-SAR Record ID 

+ Dissemination Criteria 

* ISE-SAR Submission Date 

+ Fusion Center Contact First Name 
+ Fusion Center Contact Last Name 
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Submitting Organization 
* Organization Name 

+ Organization ORI 

+ System ID 

* Organization ID 


Contact Information 
+ Person Contact Description 
+ Full Telephone Number 


Follow-Up Action 


+ Activity Date 
* Activity Type 


+ Assigned By Text 
+ Assigned To Text 
= Deposition Text 


+ Status Text 


Registration 
+ Registration Authority Text 
+ Registration Number 
+ Registration Type 
+ Registration Year 


Vehicle 
+ Vehicle Year 


+ Vehicle Identification Number 


+ US DOT Number 

+ Vehicle Description 
+ Color Code 

+ Description 

+ Make Name 

+ Model Name 

* Style Code 


+ Same As Digest Reference 


Activity End Date 
Activity End Time 
Activity Start Date 
Activity Start Time 
Observation End Date 
Observation End Time 
Observation Start Date 
+ Observation Start Time 
+ Threat Type Code 


+ Threat Type Detail Text 
+ Suspicious Activity Code 

+ Weather Condition Details 
+ Same As Digest Reference 


Aircraft 
+ Aircraft Engine Quantity 
+ Aircraft Fuselage Color 
+ Aircraft ID 
+ Aircraft Make Code 


+ Aircraft Model Code 
+ Aircraft Style Code 
+ Aircraft Tail Number 
+ Aircraft Wing Color 


+ Vessel Official State or Coast Guard Number 


+ Vessel ID 
+ Vessel ID 


+ Fusion Center Contact E-Mail Address 
+ Fusion Center Contact Telephone Number 


Related ISE-SAR 
+ Fusion Center ID 
+ Relationship Description Text 


+ Submitting ISE-SAR Record ID. 


Observer 
+ Person Employer ID 
*Observer Type Text 


O.n 
Vessel 


Issuing Authority 


= Vessel Make 

+ Vessel Model 

+ Vessel Model Year 

+ Vessel Name 

+ Vessel Overall Length 


+ Vessel Overall Length Measure 

+ Vessel Serial Number 

+ Vessel Type Code 

+ Vessel Propulsion Text 

+ Same As Digest Reference 

+ Vessel IMO Number Identification 
+ Vessel MMS! Identification 

+ Vessel Hailing Port 

+ Vessel National Flag 


Location Coordinates 
+ Altitude 

+ Coordinate Datum Code 
+ Latitude Degree 

+ Latitude Minute 

+ Latitude Second 

+ Longitude Degree 

+ Longitude Minute 

+ Longitude Second 

+ Conveyance Track/intent 


Source Organization 
+ Organization Name 

+ Organization ORI 

+ System ID 

+ Fusion Center Submission Date 

+ Source Agency Contact First Name 
+ Source Agency Contact Last Name 


Person 
+ AFIS FBI Number 
Age 
+ Age Unit Code 
+ Date of Birth 
= Ethnicity Code 
* Maximum Age 
+ Minimum Age 
+ State Identifier 
+ Tax Identifier Number 
+ Same As Digest Reference 
+ Year of Birth 


Location 


+ Location Description 
+ Same As Digest Reference 


0.1 
1 0.1 


Location Address 
+ Building Description 
+ County Name. 
+ Cross Street Description 
+ Floor Identifier 
+ Mile Marker Text 
+ Municipality Name 
+ Postal Code 
+ Street Number 
+ Street Post Directional 
+ Street Pre Directional 
* Street Type 
* Unit ID 
+ Country Name 
+ Street Name 
+ State Name 
= ICAO Airfield Code for Departure 


+ ICAO Airfield Code for Planned Destination 


+ ICAO for Actual Destination 
+ ICAO Airfield for Alternate 


+ Source Agency Contact Email Address 
+ Source Agency Contact Phone Number 


Driver License 
+ Expiration Date 
+ Issuing Authority Text 
+ Driver License Number 
+ Expiration Year 


0.4 


Target 
* Critical Infrastructure Indicator 


+ Infrastructure Sector Code 
+ Infrastructure Tier Text 

+ Structure Type Code 

+ Target Type Text 

+ Structure Type Text 

+ Target Description Text 


Owning Organization 
+ Organization Description 
+ Organization ID 
+ Organization Local ID 
+ Organization Item 
+ Same As Digest Reference 


Figure 2 — UML-based Model 
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Passport 
+ Passport ID 
+ Expiration Date 
+ Issuing Country Code 
« Expiration Year 


Other Identifier 
+ PID Effective Date 
+ PID Expiration Date 
+ PID Issuing Authority Text 
+ PID Type Code 
+ Person Identification Number (PID) 
= PID Effective Year 
+ PID Expiration Year 


Physical Descriptors 
+ Build Description 

+ Eye Color Code 

+ Eye Color Text 

+ Hair Color Code 

+ Hair Color Text 

+ Person Eyewear Text 

+ Person Facial Hair Text 

+ Person Height 

+ Person Height Unit Code 
+ Person Maximum Height 
+ Person Minimum Height 

+ Person Maximum Weight 
+ Person Minimum Weight 
+ Person Sex Code 

+ Person Weight 

+ Person Weight Unit Code 
+ Race Code 

+ Skin Tone Code 

* Clothing Description Text 


Physical Feature 
+ Feature Description 
* Feature Type Code 
+ Location Description 


Person Name 
+ Name Suffix 
+ Name Type 


+ First Name 

+ Last Name 

+ Middle Name 
+ Full Name 

+ Moniker 
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B. General Mapping Overview 


The detailed component mapping template provides a mechanism to cross-reference the business 
data requirements documented in the domain model to their corresponding XML Element in the 
XML Schema. It includes a number of items to help establish equivalency including the business 
definition and the corresponding XML Element Definition. 


C. ISE-SAR Mapping Overview 


The Mapping Spreadsheet contains seven unique items for each ISE-SAR data class and element. 
The Mapping Spreadsheet columns are described in this section. 


Table 4 — Mapping Spreadsheet Column Descriptions 


Spreadsheet 
Name and Row 


Description 


Privacy Field 
Indicator 


This field indicates that the information may be used to identify an individual. 


Source Class/ 


Content in this column is either the data class (grouping of data elements) or the 


Element actual data elements. Classes are highlighted and denoted with cells that contain 
blue background, while elements have a white background. The word “Source” is 
referring to the ISE-SAR information exchange. 

Source The content in this column is the class or element definition defined for this ISE- 

Definition SAR information exchange. The word “Source” is referring to the ISE-SAR 


information exchange definition. 


Target Element 


The content in this column is the actual namespace path deemed equal to the related 
ISE-SAR information exchange element. 


Target Element 
Definition 


The content in this column provides the definition of the target or NIEM element 
located at the aforementioned source path. “Target” is referring to the NIEM 
definition. 


Target Element 
Base 


Indicates the data type of the terminal element. Data types of niem-xsd:String or 
nc:TextType indicate free-form text fields. 


Mapping Provides technical implementation information for developers and implementers of 
Comments the information exchange. 
D. Schemas 


The JSE-SAR Functional Standard contains the following compliant schemas: 


Subset Schema 
Exchange Schema 
Extension Schema 


Wantlist 
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E. Examples 


The ISE-SAR Functional Standard contains two samples that illustrate exchange content as listed 
below. 


XSL Style Sheet 


This information exchange artifact provides an implementer and users with a communication 
tool that captures the look and feel of a familiar form, screen, or like peripheral medium for 
schema translation testing and user validation of business rules. 


XML Instance 


This information exchange artifact provides an actual payload of information with data content 
defined by the schema. 
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PART B—ISE-SAR CRITERIA 
GUIDANCE 


Part B provides a more thorough explanation of ISE-SAR pre-operational behavioral categories 
and criteria. This guidance highlights the importance of having a trained analyst or investigator 
take into account the context, facts, and circumstances in reviewing suspicious behaviors to 
identify those SARs with a potential nexus to terrorism (i.e., to be reasonably indicative of pre- 
operational planning associated with terrorism). It is important to understand, however, that the 
behavioral categories and criteria listed below reflect studies of prior terrorism incidents and are 
not intended to be limited in any way by the descriptive examples.!? The descriptive examples 
outlined below in the third column do not represent all possible examples that relate to ISE-SAR 
submissions. They are provided as a nonexhaustive list of illustrations of pre-operational 
behaviors that may support the documentation and submission of an ISE-SAR based on the 
contextual assessment of the reviewing analyst or investigator. 


In order to ensure that Part B is responsive to changes in the threat environment, the ISA IPC 
will establish a formal process for reviewing and updating the behavioral categories in the first 
column and the behavioral criteria set forth in the second column. (See the chart below.) The 
process will involve coordination and consultation between and among NSI participants and 
other stakeholders, who will examine the current body of knowledge regarding terrorism and 
other criminal activity. This process will result in the issuance of an update to the JSE-SAR 
Functional Standard when revisions are made to either or both of the first or second columns. 


As needed, the DHS, in conjunction with the FBI, will guide a separate process to allow for 
interim updates to the descriptive examples contained in the third column of Part B. Updates to 
the third column will be based on field experience (e.g., emerging threats, trip wire reports, and 
other intelligence) and will be documented in the change management chart”? of the ISE-SAR 
Functional Standard, rather than reissuance of the JSE-SAR Functional Standard by the PM-ISE. 


The nine behaviors identified below as “Potential Criminal or Non-criminal Activity Requiring 
Additional Information During Vetting” are not inherently criminal behaviors and may include 
constitutionally protected activities that must not be documented in an ISE-SAR that contains PII 
unless there are articulable facts or circumstances that clearly support the determination that the 
behavior observed is not innocent, but rather reasonably indicative of pre-operational planning 
associated with terrorism. Race, ethnicity, gender, national origin, religion, sexual orientation, or 


'9 In addition to the descriptive examples listed in Part B and in order to further enhance NSI participants’ 
understanding of the Part B behavioral categories and criteria, the DHS, in conjunction with the FBI, may develop 
additional examples to be included in implementation materials (e.g., the Vetting ISE-SAR Data guidance) or 
delivered through training. Additionally, relevant federal and SLTT law enforcement agencies may identify and 
report additional examples of terrorism behavior within the 16 behavioral categories to the DHS or the FBI. 

°° This chart is included on page 6 of this Functional Standard. 
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gender identity must not be considered as factors creating suspicion (but attributes may be 
documented in specific suspect descriptions for identification purposes).2' The activities listed as 
“Potential Criminal or Non-Criminal Activity” are not inherently criminal behaviors and are 
potentially constitutionally protected; thus, additional facts or circumstances must be articulated 
in the incident. For example, the trained analyst or investigator should document specific 
additional facts or circumstances indicating that the behavior is suspicious, such as steps to 
conceal one's location and avoid detection while taking pictures. 


ee aes Behavioral Criteria Select Descriptive Examples 
Categories 
DEFINED CRIMINAL ACTIVITY AND POTENTIAL TERRORISM NEXUS 
ACTIVITY 
Breach/ Unauthorized personnel e At 1:30 a.m., an individual breached 
Attempted attempting to enter or actually a security perimeter of a 
Intrusion entering a restricted area, hydroelectric dam complex. 
secured protected site, or Security personnel were alerted by 
nonpublic area. Impersonation an electronic alarm and observed the 
of authorized personnel (e.g., subject on CCTV, taking photos of 
police/security officers, janitor, himself in front of a “No 
or other personnel). Trespassing” sign and of other parts 


of the complex. The subject 
departed prior to the arrival of 
security personnel. 

e A railroad company reported to 
police officers that video 
surveillance had captured images of 
three individuals illegally entering a 
train station to gain access to a 
restricted-access tunnel and taking 
photos of the tunnel. 


>! See footnote 9 for additional guidance. 
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Behavioral 
Categories 


Behavioral Criteria 


Select Descriptive Examples 


Misrepresentation 


Presenting false information or 
misusing insignia, documents, 
and/or identification to 
misrepresent one’s affiliation 
as a means of concealing 
possible illegal activity. 


A state bureau of motor vehicles 
employee discovered a fraudulent 
driver’s license in the possession of 
an individual applying to renew the 
license. A criminal investigator 
determined that the individual had 
also fraudulently acquired a passport 
in the same name and used it to 
make several extended trips to 
countries where terrorist training has 
been documented. 


An individual used a stolen uniform 
from a private security company to 
gain access to the video monitoring 
control room of a shopping mall. 
Once inside the room, the subject 
was caught trying to identify the 
locations of surveillance cameras 
throughout the entire mall. 


Theft/Loss/ 
Diversion 


Stealing or diverting something 
associated with a 
facility/infrastructure or 
secured protected site (e.g., 
badges, uniforms, 
identification, emergency 
vehicles, technology, or 
documents {classified or 
unclassified }), which are 
proprietary to the 
facility/infrastructure or 
secured protected site. 


A federal aerospace facility reported 
a vehicle burglary and the theft of an 
employee’s identification credential, 
a secure ID token, and an encrypted 
thumb drive. 


An explosives ordnance company 
reported a burglary of a storage 
trailer. Items stolen included 
electric initiators, radios, and other 
items that could be used in 
connection with explosives. 
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Behavioral 
Categories 


Behavioral Criteria 


Select Descriptive Examples 


Sabotage/ 
Tampering/ 
Vandalism 


Damaging, manipulating, 
defacing, or destroying part of 
a facility/infrastructure or 
secured protected site. 


A light-rail authority reported the 
discovery of a track switch that had 
been wrapped in a length of chain in 
a possible attempt to derail a 
passenger train car. 

A natural gas company reported the 
deliberate removal of gas meter 
plugs on the “customer side” in two 
separate locations approximately a 
quarter of a mile apart. One location 
was a government facility. The 
discovery was made as the 
government facility’s sensor 
detected the threat of an explosion. 


Cyberattack 


Compromising or attempting to 
compromise or disrupt an 
organization’s information 
technology infrastructure. 


A federal credit union reported it 
was taken down for two and a half 
hours through a cyberattack, and the 
attacker was self-identified as a 
member of a terrorist organization. 


A state’s chief information officer 
reported the attempted intrusion of 
the state’s computer network by a 
group that has claimed responsibility 
for a series of hacks and distributed 
denial-of-service attacks on 
government and corporate targets. 


Expressed or 
Implied Threat 


Communicating a spoken or 
written threat to commit a 
crime that will result in death 
or bodily injury to another 
person or persons or to damage 
or compromise a 
facility/infrastructure or 
secured protected site. 


A customer-experience feedback 
agency received a call from a 
watchlisted individual stating, “Wait 
till they see what we do to the ATF, 
IRS, NSA.” 

A military museum received a 
threatening letter containing a white 
powder. The letter claimed a full- 
scale anthrax attack had been 
launched in retaliation for crimes 
committed by the U.S. Armed 
Forces. 


4 


ISE-FS-200 


Behavioral 
iis : Behavioral Criteria Select Descriptive Examples 
Categories 
Aviation Activity | Learning to operate, or Federal air traffic control personnel 


operating an aircraft, or 
interfering with the operation 
of an aircraft in a manner that 
poses a threat of harm to people 
or property and that would 
arouse suspicion of terrorism or 
other criminality in a 
reasonable person. Such 
activity may or may not be a 
violation of Federal Aviation 
Regulations. 


reported two separate laser beam 
cockpit illumination incidents 
involving different commercial 
airliners occurring at night and 
during the take-off phase of flight. 
The reports revealed that the laser 
beam in both incidents originated 
from the same general geographic 
area, near a major airport on the East 
Coast. These findings indicate the 
likelihood of purposeful acts by the 
same individual. 


A chemical facility representative 
reported an unauthorized helicopter 
hovering within 50 feet of a 
chemical tank located in a posted 
restricted area. An FAA registry 
search of the tail number was 
negative, indicating use of an 
unregistered number, which suggests 
an attempt to conceal the identity of 
the plane’s owner and/or its place of 
origin. 
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Behavioral 
Categories 


Behavioral Criteria 


Select Descriptive Examples 


POTENTIAL CRIMINAL OR NON-CRIMINAL ACTIVITY REQUIRING 
ADDITIONAL INFORMATION DURING VETTING 


Eliciting 
Information 


Questioning individuals or 
otherwise soliciting 
information at a level beyond 
mere curiosity about a public or 
private event or particular 
facets of a facility’s or 
building’s purpose, operations, 
security procedures, etc., in a 
manner that would arouse 
suspicion of terrorism or other 
criminality in a reasonable 
person. 


A tour bus company servicing one of 
the nation’s national monuments 
reported that a male subject asked a 
driver many unusual and probing 
questions about fuel capacity, 
fueling locations, and fueling 
frequency such that the driver 
became very concerned about the 
intent of the questioning. The male 
subject was not a passenger. 


A guest services employee at a 
shopping center was questioned by 
an individual about how much 
security was on the property. The 
employee contacted security 
personnel, who confronted the 
individual. When questioned by 
security personnel, the individual 
quickly changed his questions to 
renting a wheelchair and then left 
without being identified. Security 
personnel reported that the 
individual seemed very nervous and 
that his explanations were not 
credible. 
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Behavioral 
Categories 


Behavioral Criteria 


Select Descriptive Examples 


Testing or 
Probing of 


Security 


Deliberate interactions with, or 
challenges to, installations, 
personnel, or systems that 
reveal physical, personnel, or 
cybersecurity capabilities in a 
manner that would arouse 
suspicion of terrorism or other 
criminality in a reasonable 
person. 


An individual who refused to 
identify himself to facility personnel 
at a shipping port reported that he 
was representing the governor’s 
office and wanted to access the 
secure area of a steel manufacturer’s 
space. He was inquiring about the 
presence of foreign military 
personnel. The individual fled when 
he realized that personnel were 
contacting the security office about 
his activities. He ran through the 
lobby and departed in a vehicle with 
an out-of-state license plate and 
containing two other individuals. 


An individual discharged a fire 
extinguisher in a stairwell of a hotel 
and set off the building’s fire alarm. 
This individual was observed 
entering the hotel approximately two 
minutes before the alarm sounded, 
was observed exiting from the 
stairwell at about the same time as 
the alarm, and then was observed in 
the lobby area before leaving the 
hotel. 


Recruiting/ 
Financing 


Providing direct financial 
support to operations teams and 
contacts or building operations 
teams and contacts; compiling 
personnel data, banking data, or 
travel data in a manner that 
would arouse suspicion of 
terrorism or other criminality in 
a reasonable person. 


A prison inmate reported an effort to 
radicalize inmates nearing release 
toward violence. According to the 
plan, released inmates would go to a 
particular location for the purpose of 
obtaining information about 
attending an overseas terrorist 
training camp. 

An individual reported that a former 
friend and business associate (a 
chemist) had recently asked him to 
participate in a terrorist-cell 
operation by providing funding to 
purchase needed equipment. The 
funding for the operation was 
reportedly linked to the illegal 
production of drugs. 
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Behavioral 
‘ nee Behavioral Criteria Select Descriptive Examples 
Categories 
Photography Taking pictures or video of A citizen reported to local police 


persons, facilities, buildings, or 
infrastructure in an unusual or 
surreptitious manner that would 
arouse suspicion of terrorism or 
other criminality in a 
reasonable person. Examples 
include taking pictures or video 
of infrequently used access 
points, the superstructure of a 
bridge, personnel performing 
security functions (e.g., patrols, 
badge/vehicle checking), 
security-related equipment 
(e.g., perimeter fencing, 
security cameras), etc. 


that she saw an unknown male 
crouched down in the back of an 
SUV with the hatchback open half- 
way. The subject was videotaping a 
National Guard readiness center. 
The vehicle was parked on the side 
of the road but sped away when the 
citizen began to approach the 
vehicle. The citizen could not 
provide a license tag number. 


A citizen observed a female subject 
taking photographs of a collection of 
chemical storage containers in the 
vicinity of the port. The subject was 
hiding in some bushes while taking 
photographs of the storage 

tanks. The citizen reported this 
information to the city’s port police. 
When the port police officer arrived 
and approached the subject, she ran 
to a nearby vehicle and sped off. 
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Behavioral 
4 picsne Behavioral Criteria Select Descriptive Examples 
Categories 
Observation/ Demonstrating unusual or A mall security officer observed a 
Surveillance prolonged interest in facilities, person walking through the mall, 


buildings, or infrastructure 
beyond mere casual (e.g., 
tourists) or professional (e.g., 
engineers) interest and in a 
manner that would arouse 
suspicion of terrorism or other 
criminality in a reasonable 
person. Examples include 
observation through binoculars, 
taking notes, attempting to 
mark off or measure distances, 
etc. 


filming at waist level, and stopping 
at least twice to film his complete 
surroundings, floor to ceiling. The 
subject became nervous when he 
detected security personnel 
observing his behavior. Once 
detained, the subject explained that 
he came to the mall to walk around 
and was simply videotaping the mall 
for his brother. The camera 
contained 15 minutes of mall 
coverage and footage of a public 
train system, along with zoomed 
photos of a bus. 


Military pilots reported that 
occupants of multiple vehicles were 
observing and photographing in the 
area of residences of the military 
pilots. The pilots are responsible for 
the transport of special forces units. 
The report was made once the pilots 
realized that they had been 
individually surveyed by occupants 
of multiple vehicles during the same 
time period. 
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Behavioral 
is : Behavioral Criteria Select Descriptive Examples 
Categories 
Materials Acquisition and/or storage of A garden center owner reported an 
Acquisition/ unusual quantities of materials individual in his twenties seeking to 
Storage such as cell phones, pagers, purchase 40 pounds of urea and 30 


radio control toy servos or 
controllers; fuel, chemicals, or 
toxic materials; and timers or 
other triggering devices, in a 
manner that would arouse 
suspicion of terrorism or other 
criminality in a reasonable 
person. 


pounds of ammonium sulfate. The 
owner does not carry these items and 
became suspicious when the 
individual said he was purchasing 
the items for his mother and then 
abruptly departed the business. 


A female reported that a man wanted 
to borrow her car to purchase 
fertilizer to add to the 3,000 pounds 
he had already acquired. When 
asked why he was acquiring 
fertilizer, he responded that he was 
going to “make something go 
boom.” The subject lives ina 
storage unit and utilizes several 
other storage units at the location. 


Acquisition of 
Expertise 


Attempts to obtain or conduct 
training or otherwise obtain 
knowledge or skills in security 
concepts, military weapons or 
tactics, or other unusual 
capabilities in a manner that 
would arouse suspicion of 
terrorism or other criminality in 
a reasonable person. 


A fusion center received information 
on a watch-listed individual who 
was making repeated attempts to 
gain a hazardous materials 
endorsement for his commercial 
driver’s license even though his 
immigration status made him 
ineligible. 

A complaint was received from a 
gun shop about an individual under 
the age of 21 who had brought 
multiple groups of students into the 
gun shop to rent weapons to shoot. 
They desired to shoot assault rifles 
and handguns and asked questions 
about how to get around state and 
federal laws on weapon possession 
and transport. 


50 


ISE-FS-200 


Behavioral 
iis : Behavioral Criteria Select Descriptive Examples 
Categories 
Weapons Collection or discovery of e Acity employee discovered a 
Collection/ unusual amounts or types of backpack near a park bench along 
Discovery weapons, including explosives, the route of a planned Martin Luther 


chemicals, and other 
destructive materials, or 
evidence, detonations or other 
residue, wounds, or chemical ‘ 
burns, that would arouse 
suspicion of terrorism or other 
criminality in a reasonable 
person. 


King Day march in the city. The 
backpack contained an improvised 
explosive device. 


A suspicious person call resulted in 
the discovery of three individuals 
possessing hand-held radios, a 
military-grade periscope, a 7mm 
Magnum scoped rifle, an AK-74 
assault rifle, a pistol-gripped 
shotgun, a semi-automatic handgun, 
a bandolier of shotgun ammunition, 
dozens of loaded handgun 
magazines, dozens of AK-74 
magazines, Ghillie suits, several 
homemade explosive devices 
constructed of pill bottles, blast 
simulators, and military clothing. 


Sector-Specific 
Incident 


Actions associated with a e 
characteristic of unique concern 
to specific sectors (e.g., the 
public health sector), with 
regard to their personnel, 
facilities, systems, or functions 
in a manner that would arouse 
suspicion of terrorism or other 
criminality in a reasonable 
person. 


A water company reported that it 
had security footage of an unknown 
person breaking into the premises. 
At 5 a.m., the individual cut through 
a fence and used a tool to breach a 
door. Once inside the building, the 
person took photos of the 
chlorination system, including the 
chlorine tank. A pump failure 
occurred, but it was not certain that 
this was related to the break-in. 


A vehicle containing two individuals 
was discovered in a secure area of a 
loading dock at a facility that stores 
officially designated sensitive 
chemicals. The vehicle sped off 
upon discovery by security 
personnel. Surveillance footage 
revealed that the individuals gained 
entry by manually lifting a security 
gate to the compound. 
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PART C—ISE-SAR INFORMATION FLOW DESCRIPTION 


Step 


Activity 


Process 


Notes 


Observation 


The information flow begins when a 
person observes behavior that, based on 
the circumstances, would appear 
suspicious to a reasonable person. Such 
activities could include, but are not limited 
to, expressed or implied threats, probing 
of security responses, site breach or 
physical intrusion, cyberattacks, 
indications of unusual public health-sector 
activity, unauthorized attempts to obtain 
precursor chemical/agents or toxic 
materials, or other usual behavior or 
sector-specific incidents.*” Race, ethnicity, 
gender, national origin, religion, sexual 
orientation, or gender identity must not be 
considered as factors creating suspicion 
(but attributes may be documented in 
specific suspect descriptions for 
identification purposes). 


The observer may be a 
private citizen, a 
government official, or 
a law enforcement 


officer. 


22 A SAR is official documentation of observed behavior that is reasonably indicative of pre-operational planning 


associated with terrorism or other criminal activity. ISE-SARs are a subset of all SARs that have been determined by 
an appropriate authority to have a potential nexus to terrorism. An ISE-SAR is a SAR (as defined below in 5.t) that 
has been determined, pursuant to a two-part process, to have a potential nexus to terrorism (i.e., to be reasonably 
indicative of pre-operational planning associated with terrorism). ISE-SAR business rules and privacy and civil 
liberties requirements will serve as a unified process to support the reporting, tracking, processing, storage, and 


retrieval of terrorism-related suspicious activity reports across the ISE. 
3 See footnote 9 for additional guidance. 
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Step 


Activity 


Process 


Notes 


Initial Response 
and Investigation 


An official of a Federal, State, local, 
tribal, or territorial agency with 
jurisdiction responds to the reported 
observation.” This official gathers 
additional facts through personal 
observations, interviews, and other 
investigative activities. At the discretion 
of the official, further observation or 
engaging the subject in conversation may 
be required. Additional information 
acquired from such limited investigative 
activity may then be used to determine 
whether to dismiss the activity as innocent 
or escalate to the next step of the process, 
which may include reporting it to the 
FBI’s JTTF. In the context of priority 
information requirements, as provided by 
State and major urban area fusion centers, 
the officer/agent may use a number of 
information systems to continue the 
investigation. These systems provide the 
officer/agent with a more complete picture 
of the activity being investigated. Some 
examples of such systems and the 
information they may provide include the 
following: 

e The Department of Motor Vehicles 
provides driver’s license and vehicle 
registration information. 

e The National Crime Information 
Center provides wants and warrants 
information; criminal history 
information; and access to the 
Terrorist Screening Center, the 
terrorist watch list, and Regional 
Information Sharing Systems (RISS). 

e Other Federal and SLTT systems can 
provide criminal checks within the 
immediate and surrounding 
jurisdictions. 

When the initial investigation is complete, 

the official documents the event. The 

report becomes the initial record for the 
law enforcement or Federal agency’s 
records management system (RMS). 


The event may be 
documented using a 
variety of reporting 
mechanisms and 
processes, including, 
but not limited to, 
reports of investigation, 
event histories, field 
interviews, citations, 
incident reports, and 
arrest reports. 


The record may be hard 
and/or soft copy and 
does not yet constitute 
an ISE-SAR. 


Ie, 


Step Activity Process Notes 


3 | Local/Regional The agency processes and stores the The State or major 
Processing information in the RMS, following agency | urban area fusion center 
policies and procedures. The flow will should have access to 


vary depending on whether the reporting _| all suspicious activity 
organization is an SLTT agency ora field | reporting in its 

element of a Federal agency. geographic region, 
SLTT: Based on specific criteria or the whether collected by 
nature of the activity observed, the SLTT |SLTT entities or Federal 
law enforcement components forward the field components. 
information to the State or major urban 
area fusion center and/or FBI’s JTTF for 
further analysis. 


Federal: Federal field components 
collecting suspicious activity forward their 
reports to the appropriate resident, district, 
or division office. This information is 
reported to field intelligence groups or 
headquarters elements through processes 
that vary from agency to agency. 

In addition to providing the information to 
its headquarters office, the Federal field 
component provides an information copy 
to the State or major urban area fusion 
center in its geographic region. This 
information contributes to the assessment 
of all suspicious activity in the State or 
major urban area fusion center’s area of 
responsibility. 


4 Tf a suspicious activity has a direct connection to terrorist activity, the flow moves along an operational path. The 
information must move immediately into law enforcement operations so as to lead to action against the identified 
terrorist activity. In this case, the suspicious activity would travel from the initial law enforcement contact directly to 
the FBI’s JTTF. 
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Step 


Activity 


Process 


Notes 


4 |Creation of an The determination of an ISE-SAR is a Some of this 

ISE-SAR two-part process. First, at the State or information may be 
major urban area fusion center or Federal | used to develop criminal 
agency, an analyst or law enforcement intelligence information 
officer reviews the newly reported or intelligence products 
information for suspicious behavior based | that identify trends and 
on his or her training and expertise and other terrorism-related 
against ISE-SAR behavior criteria. information and are 
Second, based on the context, facts, and derived from Federal 
circumstances, the analyst or investigator | agencies such as NCTC, 
determines whether the information DHS, and the FBI. 
meeting the criteria has a potential nexus |For SLTT law 
to terrorism (i.e., to be reasonably enforcement, the ISE- 
indicative of pre-operational planning SAR information may 
associated with terrorism). or may not meet the 

reasonable suspicion 
Once this determination is made, the standard for criminal 
information becomes an ISE-SAR and is _| intelligence 
formatted in accordance with the JSE-SAR | information. If it does, 
Functional Standard. The ISE-SAR is the information may 
then shared with the FBI’s JTTF and also be submitted to a 
appropriate law enforcement and criminal intelligence 
homeland security personnel in the State | information database 
or major urban area fusion center’s area of | and handled in 
responsibility. accordance with 
28 CFR Part 23. 
5 _|ISE-SAR Sharing | In a State or major urban area fusion 


and Dissemination 


center, the ISE-SAR is shared with the 
appropriate FBI field components and the 
DHS representative and made accessible 
to other law enforcement agencies in the 
NSI SDR. 

The FBI field component enters the ISE- 
SAR information into the FBI system and 
sends the information to FBI 
Headquarters. 

The DHS representative enters the ISE- 
SAR information into the DHS system 
and sends the information to DHS, Office 
of Intelligence Analysis. The ISE-SAR is 
also made available to the FBI for 
investigation. 
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Step 


Activity 


Process 


Notes 


Federal 
Headquarters 
(HQ) Processing 


At the Federal headquarters level, ISE- 
SAR information is combined with 
information from other State or major 
urban area fusion centers and Federal field 
components and incorporated into an 
agency-specific national threat assessment 
that is shared with NSI participants and 
other ISE members. 

The ISE-SAR information may be 
provided to NCTC in the form of an 
agency-specific strategic threat assessment 
(e.g., Strategic intelligence product). 


NCTC Analysis 


When product(s) containing the ISE-SAR 
information are made available to NCTC, 
they are processed, collated, and analyzed 
with terrorism information from across the 
five communities—intelligence, defense, 
law enforcement, homeland security, and 
foreign affairs—and open sources. 

NCTC has the primary responsibility 
within the Federal government for 
analysis of terrorism information. NCTC 
produces federally coordinated analytic 
products that are shared through NCTC 
Online, the NCTC secure Web site. 


The Joint Counterterrorism Assessment 
Team (JCAT), formerly the Interagency 
Threat Assessment and Coordinating 
Group (ITACG), housed at NCTC, 
facilitates the production of coordinated 
terrorism-related products that are focused 
on issues and needs of SLTT entities and, 
when appropriate, private-sector entities. 
JCAT is the mechanism that facilitates the 
sharing of counterterrorism information 
with SLTT entities. 
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Step Activity Process Notes 


8 |NCTC Alerts, NCTC products,”° informed by the JCAT |NCTC products form 
Warnings, as appropriate, are shared with all the foundation of 
Notifications appropriate Federal departments and informational needs and 

agencies and with SLTT entities through _| guide collection of 
the State or major urban area fusion additional information. 


centers. The sharing with SLTT entities 
and the private sector occurs through the | NCTC products should 
Federal departments or agencies that have | pe responsive to 

been assigned the responsibility and have | jyformational needs of 
connectivity with the State or major urban | s} TT entities. 

area fusion centers. Some State or major 
urban area fusion centers, with secure 
connectivity and an NCTC Online 
account, can access NCTC products 
directly. State or major urban area fusion 
centers will use NCTC and JCAT 
informed products to help develop 
geographic-specific risk assessments 
(GSRAs) to facilitate regional 
counterterrorism efforts. The GSRAs are 
shared with SLTT entities and the private 
sector as appropriate. The recipient of a 
GSRA may use the GSRA to develop 
information gathering priorities or 


requirements. 
9 | Focused The information has come full circle and 
Collection the process begins again, informed by 


another Federal organization’s product 
and the identified information needs of 
SLTT entities and Federal field 
components. 


25 NCTC products include: Alerts, warnings, and notifications—identifying time sensitive or strategic threats; 
situational awareness reports; and strategic and foundational assessments of terrorist risks and threats to the United 
States and related intelligence information. 
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Figure 3—SAR Information Flow Diagram 


PART D—ACRONYMS 


Common Terrorism Information Sharing Standards 

Concept of Operations 

Department of Homeland Security 

Department of Justice 

Evaluation Environment 

Federal Bureau of Investigation 

Field Intelligence Groups 

Geographic-Specific Risk Assessment 

Information Exchange Package Document 

Intelligence Reform and Terrorism Prevention Act of 2004 
Information Sharing and Access Interagency Policy Committee 
Information Sharing Environment 

Information Sharing Environment-Suspicious Activity Report 
Joint Counterterrorism Assessment Team 

Joint Terrorism Task Force 

National Counterterrorism Center 

National Information Exchange Model 

Nationwide SAR Initiative 

privacy, civil rights, and civil liberties 


privacy and civil liberties 


og 
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Program Manager for the Information Sharing Environment 
Suspicious Activity Report 

Shared Data Repository 


State, local, tribal, and territorial 


60 


